Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Greg_Coward
F5 Employee
F5 Employee
The BIG-IP with APM has now become SAML, (claims) aware! “SAML” not “self-aware”. No need to start worrying about Skynet and Arnold Schwarzenegger kicking in your door, (except for you Sarah Connor). This is a good thing! If you need to federate your organization with Office 365, this is a very good thing.

0151T000003d5frQAA.png
With the release of ver. 11.3, BIG-IP with APM, (Access Policy Manager) now includes full SAML support on the box. What does that mean? Well, rather than relying upon an external resource such as ADFS to issue or security tokens, (used to present/consume claims with a federation partner), the BIG-IP becomes the federation endpoint for the organization. Check out here for more information on federation.
When it comes to Office 365, not only has the infrastructure required to federate your organization been dramatically reduced, the configuration required has been simplified. Available in our community codeshare forum is an iApp as well as guidance specifically designed for deploying the BIG-IP as a federation IdP, (identity provider) for Office 365. Now federating with Office 365 is as simple as answering a few questions and entering a few PowerShell commands to configure the Office 365 side.
To gain a better understanding of how we arrived here, (replacing ADFS), as well as illustrating the benefit let’s take a look at the “Evolution of Solution”…development.

Saying Goodbye to ADFS

Ensuring a Highly Available Architecture

Throughout this series, (links below), we’ve taken a look at how the F5 BIG-IP can add value and enhance to and
ADFS, (Active Directory Federation Services).
To get the ball rolling we looked at how the BIG-IP was able to provide for a highly-available and scalable ADFS infrastructure, (refer to Figure 1). This included ensuring the ADFS proxy farm, located in the perimeter network, as well as the internal ADFS farm was available and the traffic is optimized.

BIG-IP enhancements to the ADFS federation process:

Intelligent traffic management

• Advanced L7 health monitoring – (Ensures the ADFS service is responding)

• Cookie-based persistence

0151T000003d5fsQAA.png

0151T000003d5ftQAA.png

Enhancing Security and Streamlining ADFS

Building upon the previous solution, (load balancing the ADFS and ADFS Proxy layers), we implemented APM, (Access Policy Manager), (refer to Figure 2). By implementing APM on the F5 appliance(s) we not only eliminated the need for these additional servers but, by implementing pre-authentication at the perimeter and advanced features such as client-side checks, (antivirus validation, firewall verification, etc.), arguably provided for a more secure deployment.

Additional BIG-IP enhancements to the ADFS federation process:

Enhanced Security

•Variety of authentication methods

•Client endpoint inspection

•Multi-factor authentication

•Improved User Experience

•SSO across on-premise and cloud-based applications

•Single-URL access for hybrid deployments

•Simplified Architecture

•Removes the ADFS proxy farm layer as well as the need to load balance the proxy farm

Eliminating the ADFS Infrastructure

Available with version 11.3, APM includes full SAML support. This allows the BIG-IP to not only authenticate the client connections with Active Directory, but act as the IdP or SP in the federation process. No longer will an organization be required to deploy an ADFS infrastructure for federation. Rather, the BIG-IP’s role as an application delivery controller is expanded out to include cloud-based resources, (including Office 365), as well as on-premise applications.

Additional BIG-IP enhancements to the ADFS federation process:

•Ability to act as IDP, (Identity Provider) for access to external claims-based resources including Office 365

•Act as service provider, (SP) to facilitate federated access to on-premise applications

•Streamlined architecture, (no need for the ADFS architecture)

•Simplified iApp deployment

Figure 3 shows a typical Office 365 client access process utilizing APM and SAML.

0151T000003d5fuQAA.png

Additional Links:

Big-IP APM as SAML 2.0 IdP from Microsoft Office 365

SAML Federation with the BIG-IP

Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm”

Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy”

Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients”

Big-IP and ADFS Part 4 – “What about Single Sign-Out?”

BIG-IP Access Policy Manager (APM) Wiki Home - DevCentral Wiki

 

Latest F5 Information

Comments
scottm_82531
Nimbostratus
Nimbostratus
Just a note that (at least as of Oct 2014) Lync, Excel, Word, etc cannot authenticate using SAML, so you still need ADFS.
yamashin55
Cirrus
Cirrus
Alois_102001
Nimbostratus
Nimbostratus

Just switch to a native SAML-SP scenario.

 

  1. Architecture 1 also supported with SAML ? (ADFS Proxy is a SAML-IDP Proxy, ADFS Farm is a SAML-IDP Farm)
  2. Architecture 2 also supported with SAML ? (F5 APM is a SAML-IDP Proxy, ADFS Farm is a SAML-IDP Farm)

Any comments or references on that ?

 

Anybody used / implemented such Architectures ?

 

Version history
Last update:
‎21-Mar-2013 00:00
Updated by:
Contributors