A customer has new AD/ADFS 3.0 infra and wants federation to Office 365. This can be done with BIG-IP LTM+APM replacing the ADFS proxies. There is a deployment guide and iApp for ADFS supporting ADFS 3.0, but there is no mention of directory synchronization, which is needed between O365 on on-premises AD.
Traditionally the synchronization has been implemented with Microsoft's DirSync tool. This Summer Microsoft released a replacement called Azure AD Connect for the DirSync tool. So it will be used.
Now it seems to be that the new Azure AD Connect wizard (GUI) requires the installation of the Web Application Proxy (WAP) roles before it can complete. We would like to avoid the WAP servers as it is counterintuitive to replacing them with LTM+APM.
Are there any guidelines/instructions/knowhow how to use/configure the new Azure AD Connect tool properly for synchronization without WAP, in a case where BIG-IPs will replace them in the ADFS federation side? Also when running Azure AD Connect wizard, what issues we might face when having F5 instead of WAP if it can be configured so?
I am not sure I follow you - Azure AD Connect is just synchronization tool - I have installed/used it, and do not recall it asking for WAP role installation. So you should not see any issues.
I just dug into it further. I think I see what is going on - AD Azure Connect now allows users to both setup AD user replication to Azure AD and setup federated domain status with ADFS at the same time. Proxy is not a required field to be filled out in the process, as far as I can tell - so I suggest just skipping it altogether when going through the wizard.
Thanks Michael. I think the WAP role installation is required in the Federation setup side of the wizard. Have to check if and how it can be skipped.
However as the federation to O365 is one of the use scenarios in the newest F5 deployment guide, then the steps, which needs to be done in the ADFS side, especially with Azure AD Connect, should be in the guide, too. Either as wizard steps or as powershell commands, something similar as earlier for the DirSync tool.
I just dug into it further. I think I see what is going on - AD Azure Connect now allows users to both setup AD user replication to Azure AD and setup federated domain status with ADFS at the same time. Proxy is not a required field to be filled out in the process, as far as I can tell - so I suggest just skipping it altogether when going through the wizard.
Thanks Michael. I think the WAP role installation is required in the Federation setup side of the wizard. Have to check if and how it can be skipped.
However as the federation to O365 is one of the use scenarios in the newest F5 deployment guide, then the steps, which needs to be done in the ADFS side, especially with Azure AD Connect, should be in the guide, too. Either as wizard steps or as powershell commands, something similar as earlier for the DirSync tool.
I know this is a year old article but I was curious if you ever figured this out. We are looking at using APM instead of ADFS Proxy servers but our Windows admin says the WAP role is required. Is this something that APM can also replace?
Just ADFS proxy, I took your advice and just started putting it in and it seems to be working except I don't want users to get an actual login page. When we go straight to the ADFS farm, they're logged in with their computer credentials, is this supposed to do the same?
18-Oct-201607:32 - last edited on 19-Dec-202215:58 by JimmyPackets
I am confused - if you are setting up ADFS proxy, then I presume it is for external/remote users, correct? If so, why would you want them to be logged in automatically? Are you saying that you only allow remote access from domain-joined machines? You can try to setup NTLM authentication on the APM policy to avoid the login page, but then you also need to have login page for non-domain-joined devices, right?
Check out this article and let me know if it makes sense.
Yes, that's correct, this is for external users. Our Windows admin says he wants users to be able to connect via SSO if they're on a domain machine regardless of whether they are inside the network or somewhere else. Any other machine should get the login page (which is working now). I followed the NTLM guide but I'm unsure about the iRule. I'm supposed to apply that to the ADFS VIP?
