F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
Sep 08, 2022
Solved

ADFS Proxy, APM, ASM Craziness

Hi, We've been doing some testing recently with using the APM Proxy for ADFS which is basically a check box in the APM section of a virtual server that allows one to establish a trust with the ADFS ...
application delivery
security
  • Nikoolayy1's avatar
    Nikoolayy1
    Nov 04, 2022

    Ah got it as it seems like some guided configs F5 is using an internal iApp LX based on node js to make this magic and probably 404 is configured there.

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 08, 2022

It could be a url filter or layer 7 access list in the APM session policy or if there is a per-request policy. You can also enable APM HSM logging to try to see the APM logs that block this:

 

https://support.f5.com/csp/article/K45423041

 

See at the end of this link about HSM with APM:

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-13-0-0/9.html

 

ASM can use the APM session id for user session matching:

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/14.html

 

As your APM is before the ASM you can also place the ASM before the APM to protect the login page or webtop if you use those. But in this case maybe the session feature will not work as the APM will be after the ASM but still the ASM may track by username by the login page:

 

https://support.f5.com/csp/article/K13315545

https://support.f5.com/csp/article/K54217479

 

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 10, 2022

I created a test adfs config and I take my words back as by default the ADFS config shouldn't provide any URL protections but if you modified it and if the ASM/Advanced WAF is the one doing this as it could block without returning custom page if someone has made it so.

ADFS config with APM authentication and F5 SMS OTP:

 

 

  • JustCooLpOOLe's avatar
    JustCooLpOOLe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 03, 2022

    We're working with support on this issue but there is no APM policy that is in use for ADFS.  We are using the ADFS Trust portion that shows on a Virtual Server where you enter in Domain Admin creds to establish the trust and a certificate is autorenewed with the ADFS servers.  That's where you see that anything which does not include a "/adfs" is presented with a 404.  No ASM policy is in play.

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Nov 04, 2022

      Ah got it as it seems like some guided configs F5 is using an internal iApp LX based on node js to make this magic and probably 404 is configured there.

      • JustCooLpOOLe's avatar
        JustCooLpOOLe
        Icon for Cirrocumulus rankCirrocumulus
        Nov 10, 2022

        Definitely a nice feature but if you're trying to put an AWAF policy in front, the violations are never triggered.  Looking into having a virtual server placed in front of the ADFS virtual server but that is challenging too