Microsoft Active Directory Federation Services (AD FS) iApp Template

Problem this snippet solves:

Use this iApp template for configuring standard load balancing, monitoring and TCP optimization for Microsoft Active Directory Federation Servers (AD FS and AD FS Proxy). If APM is provisioned, the template should support configuring pre-authentication for ADFS servers running in Windows Authentication mode. Minimum required BIG-IP version: 11.2.

If you are deploying APM for authentication proxy to AD FS services, you must enable Windows Authentication in the Intranet section of the AD FS Global Authentication Policy.

v1.2.0 iApps

v1.2.0rc1

Added support for ADFS 4.0

Made 49443 device registration/certificate authentication objects optional via a question.

Made ADFSPIP iRule automatic but only when APM set to yes.

Added support for an existing APM profile to be selected from within the iApp.

Added forms SSO for /adfs/ls endpoint into the iApp via a question

v1.2.0rc2

Fixed an "app_health__frequency variable not found" issue when using a custom monitor

Added support if a custom pool is chosen AND certificate authentication/device registration is set to yes to display an option for what pool to use for cert auth/device registration.(As the ports would be different)

v1.1.0 iApps

v1.1.0rc2

Added certificate auth objects(49443) and MS-ADFSPIP headers irule.

Added iRule to disable APM for MS Federation Gateway endpoint(s)

v1.0.0 iApps

v1.0.0rc1

Initial release.

v1.0.0rc2

Fixed an "iapp::template_start" error when importing the template.

v1.0.0rc3

Fixed a "runtime exceeded" error caused by incorrect syntax in external SNI monitor.

v1.0.0rc4

Corrected external monitor cURL command to fix issue with pool members being marked down incorrectly.

v1.0.0rc5

Added support for FastL4 deployment.

v1.0.0rc6

Fixed issue with broken APM Quick Start page previews.

v1.0.0rc7

Changes to external monitor script: removed verbose flag; corrected output redirection.

Fixed an issue with the associated cli script that could prevent users from importing iApp templates.

Official release of 1.0.0

The official F5 supported version of this iApp is now on downloads.f5.com. See https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17041.html for information. For the associated Deployment Guide, see http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf

Code :

73996
Published Mar 11, 2015
Version 1.0
  • what happened to v1.0.0rc5? this was previously visible. Is there a reason why its been removed?
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    RC6 has been posted. If you see an "attachment not found" error, refresh the page.
  • Error when enabling APM option. Successfully executed after template was modified: (see line added below.) f5.microsoft_adfs.v1.0.0rc7 BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4 Error: "script did not successfully complete: (can't read "advanced": no such variable" proc configure_apm { } { tmsh::include f5.iapp.1.2.0.cli set app $tmsh::app_name APM AAA config array keys: $advanced,$::apm__ad_secure set advanced [expr { [iapp_is ::basic__advanced "yes"] }] array set aaa_port {
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    I don't get the same error when I try deploying with APM. Can you post the rest of the selections from your deployment, so we can try to replicate the error?
  • I get teh same error above as Cory, same version of BIG-IP. Here is the full error returned, at least for me. script did not successfully complete: (can't read "advanced": no such variable while executing "subst $aaa_port($advanced,$::apm__ad_secure)" invoked from within "iapp_conf create ltm monitor ldap ${app}_ldap base \"$::apm__ad_tree\" chase-referrals yes debug no defaults-from ldap destination *:[subst $aaa_port(..." invoked from within "subst $aaa_monitor($::apm__ad_monitor)" invoked from within "iapp_conf create ltm pool ${app}_aaa [iapp_pool_members $::apm__active_directory_servers -port any -aaa_pool] load-balancing-mode "round-robin" mon..." invoked from within "subst $aaa_pool($multiple_ad)" invoked from within "iapp_conf create apm aaa active-directory ${app}_apm_aaa \{ admin-encrypted-password [expr { $credentials ? "[iapp_make_safe_password $::apm__active..." invoked from within "subst $substa_out" invoked from within "if { [info exists [set substa_in]] } { set substa_out [subst $$substa_in] set substa_out [subst $substa_out] } else { ..." ("uplevel" body line 3) invoked from within "uplevel { append ::substa_debug "\n$substa_in" if { [info exists [set substa_in]] } { set substa_out [subst $$substa_in] ..." (procedure "iapp_substa" line 9) invoked from within "iapp_substa aaa_server($do_new_aaa)" (procedure "configure_apm" line 40) invoked from within "configure_apm" (procedure "configure_adfs_deployment" line 230) invoked from within "configure_adfs_deployment" line:557)
  • Hi

     

    Has anyone come across an issue where, when you select to use an existing access policy the F5 doesn’t return the response to the client?

     

    We have the iapp deployed on v11.4.1

     

    If we select no apm, then disable strict updates and manually apply our existing AP it works!?!?

     

    Any thoughts?

     

    Cheers Simon

     

  • Koebi's avatar
    Koebi
    Icon for Nimbostratus rankNimbostratus

    Hello,

     

    in my opinion the Network part "Which VLANs transport client traffic?" isn't working corretctly. If I'm selecting "no VLANs", no VLANS are slected in the Virtual Server, too. In the description is written:

     

    "If you do not move any VLANs to the Selected box, the BIG-IP system accepts traffic from all VLANs" - That's wrong!

     

    Further I can not add any Coonectivity Profile to the Virtual Server VLAN Section. The result is, that VPN Access to the VIP is not working.

     

    Regards

     

    Martin

     

  • LRei76's avatar
    LRei76
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    we have the same problem with the iApp. Vlan selection does not include connectivity profiles needed for vpn access. Moving no vlan into the box does only use 'all vlans' but not any cp.

     

    Any chance for implementing the CPs to the selection?

     

    Regards, Lars