APM with ADFS + Extended Protection

Question

Hello,
I am trying to implement F5 as a load balancer for an ADFS server farm.
It works well if SSL connections from clients to ADFS are tunneled thru F5 without decryption.
However if I enable SSL bridging on F5 (i.e. SSL connections are terminated on F5) the ADFS SSO authentication stops working.&nbsp;
It looks like ADFS is using a new feature called Extended Protection.
This feature is a protection from man-in-the-middle proxies.&nbsp;
If I disable the Extended Protection in ADFS as follows, everything works well.&nbsp;
Set-ADFSProperties -ExtendedProtectionTokenCheck:None&nbsp;
I have not encountered any mention about disabling this Extended Protection feature in any F5 guide for ADFS integration.&nbsp;
Question:&nbsp;
Is it really necessary to disable Extended Protection?
Is there any way to make it work properly with an F5 doing SSL bridge?&nbsp;

jad_tabbara__j1 · Answer

Hi,&nbsp;
In our case, we are terminating SSL connections on the BIG-IP and the  "ExtendedProtectionTokenCheck" is set to "none". I think It wont work otherwise ! &nbsp;
Also we encounter another issue with the ADFS "protection" feature when it was enabled. Browsers other than IE, were unable to make SSO (Chrome) as described by this discussion  
&nbsp;
https://social.technet.microsoft.com/Forums/en-US/6948e92d-1789-480d-99c1-08ee94a522cd/adfs-3-server-2012-r2-and-chrome?forum=winserverDS&nbsp;
Regards&nbsp;

Forum Discussion

APM with ADFS + Extended Protection

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

Exchange server extended protection and BigIP

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions