Microsoft Active Directory Federation Services (AD FS) iApp Template
Problem this snippet solves:
Use this iApp template for configuring standard load balancing, monitoring and TCP optimization for Microsoft Active Directory Federation Servers (AD FS and AD FS Proxy). If APM is provisioned, the template should support configuring pre-authentication for ADFS servers running in Windows Authentication mode. Minimum required BIG-IP version: 11.2.
If you are deploying APM for authentication proxy to AD FS services, you must enable Windows Authentication in the Intranet section of the AD FS Global Authentication Policy.
v1.2.0 iApps
v1.2.0rc1
Added support for ADFS 4.0
Made 49443 device registration/certificate authentication objects optional via a question.
Made ADFSPIP iRule automatic but only when APM set to yes.
Added support for an existing APM profile to be selected from within the iApp.
Added forms SSO for /adfs/ls endpoint into the iApp via a question
v1.2.0rc2
Fixed an "app_health__frequency variable not found" issue when using a custom monitor
Added support if a custom pool is chosen AND certificate authentication/device registration is set to yes to display an option for what pool to use for cert auth/device registration.(As the ports would be different)
v1.1.0 iApps
v1.1.0rc2
Added certificate auth objects(49443) and MS-ADFSPIP headers irule.
Added iRule to disable APM for MS Federation Gateway endpoint(s)
v1.0.0 iApps
v1.0.0rc1
Initial release.
v1.0.0rc2
Fixed an "iapp::template_start" error when importing the template.
v1.0.0rc3
Fixed a "runtime exceeded" error caused by incorrect syntax in external SNI monitor.
v1.0.0rc4
Corrected external monitor cURL command to fix issue with pool members being marked down incorrectly.
v1.0.0rc5
Added support for FastL4 deployment.
v1.0.0rc6
Fixed issue with broken APM Quick Start page previews.
v1.0.0rc7
Changes to external monitor script: removed verbose flag; corrected output redirection.
Fixed an issue with the associated cli script that could prevent users from importing iApp templates.
Official release of 1.0.0
The official F5 supported version of this iApp is now on downloads.f5.com. See https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17041.html for information. For the associated Deployment Guide, see http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf
Code :
73996
- dkorenko_23224Nimbostratuswhat happened to v1.0.0rc5? this was previously visible. Is there a reason why its been removed?
- mikeshimkus_111Historic F5 AccountIt was removed by mistake. The updated template will be posted here ASAP.
- mikeshimkus_111Historic F5 AccountRC6 has been posted. If you see an "attachment not found" error, refresh the page.
- NDE_192746NimbostratusHas the RC6 been reposted ?
- Cory_14089NimbostratusError when enabling APM option. Successfully executed after template was modified: (see line added below.) f5.microsoft_adfs.v1.0.0rc7 BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4 Error: "script did not successfully complete: (can't read "advanced": no such variable" proc configure_apm { } { tmsh::include f5.iapp.1.2.0.cli set app $tmsh::app_name APM AAA config array keys: $advanced,$::apm__ad_secure set advanced [expr { [iapp_is ::basic__advanced "yes"] }] array set aaa_port {
- mikeshimkus_111Historic F5 AccountI don't get the same error when I try deploying with APM. Can you post the rest of the selections from your deployment, so we can try to replicate the error?
- Michael_J__PrenNimbostratusI get teh same error above as Cory, same version of BIG-IP. Here is the full error returned, at least for me. script did not successfully complete: (can't read "advanced": no such variable while executing "subst $aaa_port($advanced,$::apm__ad_secure)" invoked from within "iapp_conf create ltm monitor ldap ${app}_ldap base \"$::apm__ad_tree\" chase-referrals yes debug no defaults-from ldap destination *:[subst $aaa_port(..." invoked from within "subst $aaa_monitor($::apm__ad_monitor)" invoked from within "iapp_conf create ltm pool ${app}_aaa [iapp_pool_members $::apm__active_directory_servers -port any -aaa_pool] load-balancing-mode "round-robin" mon..." invoked from within "subst $aaa_pool($multiple_ad)" invoked from within "iapp_conf create apm aaa active-directory ${app}_apm_aaa \{ admin-encrypted-password [expr { $credentials ? "[iapp_make_safe_password $::apm__active..." invoked from within "subst $substa_out" invoked from within "if { [info exists [set substa_in]] } { set substa_out [subst $$substa_in] set substa_out [subst $substa_out] } else { ..." ("uplevel" body line 3) invoked from within "uplevel { append ::substa_debug "\n$substa_in" if { [info exists [set substa_in]] } { set substa_out [subst $$substa_in] ..." (procedure "iapp_substa" line 9) invoked from within "iapp_substa aaa_server($do_new_aaa)" (procedure "configure_apm" line 40) invoked from within "configure_apm" (procedure "configure_adfs_deployment" line 230) invoked from within "configure_adfs_deployment" line:557)
- raZorTTCirrostratus
Hi
Has anyone come across an issue where, when you select to use an existing access policy the F5 doesn’t return the response to the client?
We have the iapp deployed on v11.4.1
If we select no apm, then disable strict updates and manually apply our existing AP it works!?!?
Any thoughts?
Cheers Simon
- KoebiNimbostratus
Hello,
in my opinion the Network part "Which VLANs transport client traffic?" isn't working corretctly. If I'm selecting "no VLANs", no VLANS are slected in the Virtual Server, too. In the description is written:
"If you do not move any VLANs to the Selected box, the BIG-IP system accepts traffic from all VLANs" - That's wrong!
Further I can not add any Coonectivity Profile to the Virtual Server VLAN Section. The result is, that VPN Access to the VIP is not working.
Regards
Martin
- LRei76Nimbostratus
Hi,
we have the same problem with the iApp. Vlan selection does not include connectivity profiles needed for vpn access. Moving no vlan into the box does only use 'all vlans' but not any cp.
Any chance for implementing the CPs to the selection?
Regards, Lars