Forum Discussion
EastCoast_16835
Altostratus
AltostratusAPM with ADFS + Extended Protection
Hello, I am trying to implement F5 as a load balancer for an ADFS server farm. It works well if SSL connections from clients to ADFS are tunneled thru F5 without decryption. However if I enable SSL bridging on F5 (i.e. SSL connections are terminated on F5) the ADFS SSO authentication stops working.
It looks like ADFS is using a new feature called Extended Protection. This feature is a protection from man-in-the-middle proxies.
If I disable the Extended Protection in ADFS as follows, everything works well.
Set-ADFSProperties -ExtendedProtectionTokenCheck:None
I have not encountered any mention about disabling this Extended Protection feature in any F5 guide for ADFS integration.
Question:
Is it really necessary to disable Extended Protection? Is there any way to make it work properly with an F5 doing SSL bridge?
Jad_Tabbara__J1Cirrostratus
Hi,
In our case, we are terminating SSL connections on the BIG-IP and the "ExtendedProtectionTokenCheck" is set to "none". I think It wont work otherwise !
Also we encounter another issue with the ADFS "protection" feature when it was enabled. Browsers other than IE, were unable to make SSO (Chrome) as described by this discussion
Regards