APM with ADFS + Extended Protection
Hello, I am trying to implement F5 as a load balancer for an ADFS server farm. It works well if SSL connections from clients to ADFS are tunneled thru F5 without decryption. However if I enable SSL bridging on F5 (i.e. SSL connections are terminated on F5) the ADFS SSO authentication stops working.
It looks like ADFS is using a new feature called Extended Protection. This feature is a protection from man-in-the-middle proxies.
If I disable the Extended Protection in ADFS as follows, everything works well.
Set-ADFSProperties -ExtendedProtectionTokenCheck:None
I have not encountered any mention about disabling this Extended Protection feature in any F5 guide for ADFS integration.
Question:
Is it really necessary to disable Extended Protection? Is there any way to make it work properly with an F5 doing SSL bridge?