adfs
28 TopicsAPM Cookbook: SAML IdP Chaining
As an APM subject mater expert at F5 I often find myself in situations where a customer or colleague needs an example of a particular configuration. While most of these requests are easily handled with a call or WebEx I'm a firm believer in sharing knowledge through documentation.. and I don't like getting calls at 3 AM. If you're like me you grew up with the O'Reilly Cookbook series which served as a great reference document for various development or server configuration tasks. My goal is to create a similar reference resource here on DevCentral for those one-off scenarios where a visual example may help your complete your task. For the first APM Cookbook series I'll discuss SAML IdP chaining. Overview Security Assertion Markup Language, more commonly known as SAML, is a popular federated authentication method that provides web based single sign-on. One of the key security advantages to SAML is the reduction in username/password combinations that a user has remember... or in my experience as a security engineer the number of passwords written on a post-it note stuck to their monitor. There are two major services in a SAML environment: IdP - Identity Provider SP - Service Provider The identity provider is the SAML service that authenticates the user and passes an assertion to then service providers proving the user's identity. F5's APM performs both IdP and SP services and allows customers to easily deploy federated authentication in their environment. In more complex scenarios you may run across a requirement where multiple SAML IdPs need to be chained together. This comes up from time to time when customers have contractors that utilize federated authentication for authorization to corporate resources. Example For our configuration we have the Globex Corporation that uses APM to authenticate uses to Office 365. Globex hire contractors from Acme Corp. who authenticate using the Acme Corp. ADFS environment. However, since Office 365 is configured to authenticate against the Globex APM we need to convert the Acme Corp. SAML assertion into a Globex SAML assertion, which is known as IdP chaining. The step ladder for this process is shown below: 1. User requests https://outlook.com/globex.com 2 - 3. Office 365 redirects user to idp.globex.com 3 - 4. idp.globex.com determines user is a contractor and redirect user to sts.acme.com 5 - 8. User authenticates using Acme credentials and is then redirect back to idp.globex.com 9. idp.globex.com consumes the Acme SAML assertion and creates a Globex SAML assertion 10. User is redirected back to Office 365 11 - 12. Office 365 consumes the Globex SAML assertion and displays the user's mail Configuration To configure your APM SAML IdP to accept incoming assertion from sts.acme.com we need to create an external SP connector. Under the Access Policy -> SAML -> BIG-IP as SP configuration section: 1. Create a new SAML SP Service 2. Export the SP metadata and configure sts.acme.com accordingly (follow your IdP vendor's documentation) 3. Click the External IdP Connectors menu at the top 4. Click the dropdown arrow on the create button and choose From Metadata (import the metadata from sts.acme.com) 5. Bind the Local SP service to the external IdP connector Now that idp.globex.com and sts.acme.com are configured to trust one another we need to configure the APM IdP to consume the sts.acme.com SAML assertion. The IdP's Visual Policy Editor should look similar to the image below: 1. The Decision Box asks the user what company they're with. This is a simple example but more elaborate home realm discovery techniques can be used. 2. The SAML Auth box is configured to consume the sts.acme.com assertion 3. Since we no longer have a login form on the IdP we need to set a few APM session variables: session.logon.last.username = Session Variable session.saml.last.identity session.logon.last.logonname = Session Variable session.saml.last.identity 4. Create an Advanced Resource Assign that matches your existing IdP Advance Resource Assign. Conclusion This particular post was a little longwinded due to the steps required but overall is a fairly simple configuration. So the next time someone asks if your F5 can do IdP chaining you can confidently reply "Yes and I know how to do that".4.1KViews1like7CommentsF5 APM /w ADFS login page
Hi all, I'm fairly new to working with APM (and ADFS/SAML in general) so I was wondering if someone could help me figure out what I'd need to accomplish the following: APM Policy: Start -> ADFS login page (note 1) -> MFA verification (note 2) -> Assign SSO properties -> Allow The stumbling block I'm currently at is I don't know how to configure either ADFS, or APM, to present the ADFS authentication portal for APM. Any hints or resources that can be used to accomplish this would be greatly appreciated! Notes: 1: The ADFS login page, not the APM login page. Our CIO specially wants the ADFS login page to be our only authentication portal. 2: We are using DUO for MFA; I'm guessing there's a way to pull the necessary information on to some sort of landing page in order to accomplish this, like in the example that DUO gives for working with APM416Views0likes1Comment[SAML] APM as SP with ADFS as IdP, Assertion info not found
Hi, i've configured an APM as SP (TMOS v12.1.2 HF1) and i use an external IdP (ADFS). The configuration is correct, i've follow the manual Using APM as a SAML Service Provider After configured the SP and imported the metadata from IdP, i've exported the metadata and imported into ADFS. If i try to authenticate, i the POST to ADFS and the POST to APM but, after this post i receive an error and my access policy terminate with DENY. If i see the logs on APM, i see only this error: Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "SamlSPAgentexecuteInstance()" line: 1115 Msg: Matched idp connector name: /Common/my_IDP Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "SamlSPAgentexecuteInstance()" line: 1116 Msg: Doing SAML SP Initiated Auth: / Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: ./AccessPolicyProcessor/SessionState.h func: "clearTempSessionAgentState()" line: 110 Msg: Agent did not initiated the scheduled agent Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 532 Msg: Let's evaluate rules, total number of rules for this action=2 Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 538 Msg: Rule to evaluate = "expr {[mcget {session.saml.last.result}] == 1}" Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 538 Msg: Rule to evaluate = "" Oct 6 11:14:34 BIG-IP-F5-1 err apmd[22385]: 0149020f:3: /Common/WebAPP:Common:83748128: SAML Agent: /Common/WebAPP_act_saml_auth_ag cannot find assertion information in SAML request The SSO and APMD log var is set to DEBUG. i have the trace taken by SAML TRACKER (FF plugin) and seems corrects (correct entity ID, correct Assertion, Correct cert used for signing, ecc..) The only thing that i see different from the "web example" is the missing prefix in XML Tags: ... https://*** *** ..... In examples, i've always seen the prefix saml: How can i do to troubleshoot better this issue? Is necessary the prefix in SAML Response? Any response will be greatly appreciated. Thanks, Regards, S349Views0likes0CommentsADFS Proxy balancing with LTM and Advanced WAF, without APM
Looking to do a new F5 configuration to load balance and protect with Advanced WAF a pair of existing Office 365 ADFS Proxy servers running the 2019 version. I see that F5 is no longer supporting iApps for Office 365. The new supported configuration seems to be using Guided Configuration. All articles I've found so far, recquire using APM. The 'F5 appliances we can use are running version 15.1.x and don't have APM, only LTM and Advanced WAF. Is there an official supported solution to do ADFS Proxy (version 2019 or later) load balancing with Advanced WAF protecions? If there isn't, should we still use the last version of the iApp Templates instead?1.7KViews0likes5CommentsSSL Bridging and X fwd for ADFS
We currently have a VIP configured for external ADFS that is doing SSL passthrough. We are trying to utilize the X Forwarded for header with SSL bridging however during our change neither the SSL bridging or the x forwarded for option was sucessfull. When applying either or both config that traffic would fail and the web page would show page unreachable. Does anyone have any expereience with this type of change1.5KViews0likes6CommentsBig-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI”
Can you believe it? It’s true, it’s true! There’s a part 5. What can I say? Times change; people change; software changes. Active Directory Federation Services, (ADFS) is no exception. While the BIG-IP with SAML 2.0 can alleviate the need for and ADFS infrastructure in many use cases, there are still organizations that need/want to continue utilizing ADFS. Fortunately, regardless of which way you go, F5 can help. So, in the spirit of free will, collaboration, and serving the greater good, (too much?), let’s talk about load balancing ADFS 3.0 with the BIG-IP. As you may, or may not, recall the previous posts around BIG-IP and ADFS revolved around load balancing ADFS 2.0 and ADFS Proxy, replacing the ADFS Proxy with Access Policy Manager, and replacing the entire ADFS infrastructure with APM and SAML. The good news is that these posts are still relevant with regards to ADFS 3.0 and the ADFS proxy replacement, (WAP); well for the most part anyway. ADFS and SNI While there are numerous differences between ADFS 3.0 and previous versions, the most significant change with respect to providing HA and scalability for the ADFS 3.0 infrastructure is its use of Server Name Indication, (SNI). To Successfully integrate a load balancing solution, ( including full reverse proxy), into the ADFS environment the device must support SNI. The load balancing device must be able to present the server name to the backend host as part of the initial Client Hello. Fortunately, the BIG-IP, (ver. 11.1.0 and later) supports this TLS protocol extension. The rest of this post will provide guidance on enabling SNI support for ADFS 3.0 integration. For overall guidance refer to parts one thru three of this series as well as the recently published ADFS 2.0 Deployment Guide. SNI and the Server Profile The BIG-IP provides a virtual server, (listener), that receives client SSL connections and subsequently intelligently passes traffic into a pool of ADFS/WAP servers. Depending upon the organization’s infrastructure and security requirements, the BIG-IP can simply receive encrypted client connections and pass them through to the backend ADFS farm, (aka SSL tunneling). However, the preferred method, (SSL bridging), receives encrypted clients connections; terminates and decrypts the traffic. The traffic is then re-encrypted and sent to the backend application servers. This method adds an additional layer of security since external traffic never directly connects to the internal domain-joined machines as well affording the ability to perform additional deep packet inspection. SSL bridging back to the ADFS farm requires associating a server SSL profile to the virtual server. Enabling SNI is simply a matter of specifying the server name on the associated server SSL profile, (see below). 1. Navigate to the appropriate profile; 2. Select ‘Advanced’ configuration and enter the FQDN of the backend ADFS service hostname. The hostname will now be provided during the TLS negotiation. In the example below, the server name is ‘fs.f5demo.net’, (refer to the highlighted field). Like I said, simple! Health Monitoring and SNI Effectively monitoring the backend ADFS/WAP farm members is a little trickier but very doable. Since the built-in HTTP monitors do not provide the server name as part of the TLS negotiation, using them will result in the being backend servers being incorrectly marked as down, (not good). You could simply use a non-HTTP monitor, (ICMP being the most common), but that doesn’t provide a reasonable guarantee that the actual ADFS service is functioning. Better than that, what we can do is create an external custom SNI enabled monitor that validates the service metadata and associate it to the pool. It’s as easy as 1,2,3,…..um.. 4,5,6. 1. Download the script: http://www.f5.com/pdf/deployment-guides/sni-eav.zip 2. Upload the previously downloaded file into the BIG-IP via the web interface. Navigate to ‘System’ –> ‘External Monitor Program List’ –> ‘Import’; IMPORTANT!!! If ADFS proxy server is configured to accept SSL/TLS connections only using TLSv1.1 or better , the monitor will not work. If have come up with this one-liner to replace the “curl” based command in the script. Thanks to Jerry Tower for helping fix the actual HTTP request as well as testing the script. (echo -e "GET $URI HTTP/1.1\r\nHost: $HOST\r\nConnection: Close\r\n\r\n"; sleep 2) | openssl s_client –quiet –servername $HOST -connect $NODE:$PORT 2> /dev/null| grep -i "$RECV" 2>&1> /dev/null The script line that this one-liner should replace is the following: curl-apd -k -v -i --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" 2>&1 > /dev/null 3. Browse to and select the file. Provide a name for the file and select ‘Import’; 4. Create a new external monitor utilizing the associate external file. Navigate to ‘Local Traffic’ –> ‘+’ sign; 5. Provide a name and select ‘External’ for the type. Select the previously created external program. The script provided requires three, (3) variables entered as name/value pairs. The variables are listed below. Select ‘Finished’; Name Value RECV HTTP/1.1 200 URI /FederationMetadata/2007-06/FederationMetadata.xml HOST 6. Associate the newly created monitor to the ADFS pool and/or the WAP pool. Select ‘Local Traffic’ –> ‘Pools’ –> ‘Pool List’. Move the monitor into the active pane and select ‘Update’. Additional Links: Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm” Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy” Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients” Big-IP and ADFS Part 4 – “What about Single Sign-Out?” BIG-IP Access Policy Manager (APM) Wiki Home - DevCentral Wiki Active Directory Federation Services 3.0 Overview5.7KViews1like24CommentsHow to create an APM policy for on-prem application that uses SAML
Hello, I would like some guide on how to configure and APM policy and SSO. Basicalli, present a portal to force authentication when accessing https://mysite.example.com for example https://mysite.example.com is an on-prem application which is configure for ADFS saml authentication on an external IdP. Before putting an APM policy the traffic flow goes as follows. User access https://mysite.example.com (this app is behind f5 LTM) mysite.example.com redirects user to authenticate to myadfs.example.com and gets prompted by ADFS for username and password. myadfs.example.com authenticates and redirects back to mysite.example.com User is able to access mysite.example.com. After adding APM policy the traffic flow goes as follows. User access https://mysite.example.com (this app is behind f5 LTM) F5 presents a prompt for username and password (AD authentication) User is successful authenticated. Access is granted to https://mysite.example.com mysite.example.com redirects user to authenticate to myadfs.example.com ("AGAIN", can this be prevented since they already authenticated) and gets prompted by ADFS for username and password. myadfs.example.com authenticates and redirects back to mysite.example.com User is able to access mysite.example.com. Any advice really appreciated. Python datetime (With Examples)445Views0likes1CommentADFS load balancing using CNAME record but against MS guide lines?
We would like to load balance our ADFS using our BigIP load balancer. I'm not a networking guy or expert on BigIP so forgive me for any omissions/inaccuracies. The standard practice to load balance any Windows based service is to: Create a subzone of your DNS domain zone in question, e.g. lb.contoso.com Make the LBs authorative for this zone (i.e. they become the name servers) Within your contoso.com DNS zone, create a CNAME record of adfs.contoso.com mapping it to adfs.lb.contoso.com And finally configure your nodes inside BigIP However, MS explcitly state not to create a CNAME record for ADFS (and some other services too). Here is the snippet from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements (AD FS 2016 Requirements). It says (see line in bold): DNS Requirements For intranet access, all clients accessing AD FS service within the internal corporate network (intranet) must be able to resolve the AD FS service name to the load balancer for the AD FS servers or the AD FS server. For extranet access, all clients accessing AD FS service from outside the corporate network (extranet/internet) must be able to resolve the AD FS service name to the load balancer for the Web Application Proxy servers or the Web Application Proxy server. Each Web Application Proxy server in the DMZ must be able to resolve AD FS service name to the load balancer for the AD FS servers or the AD FS server. This can be achieved using an alternate DNS server in the DMZ network or by changing local server resolution using the HOSTS file. For Windows Integrated authentication, you must use a DNS A record (not CNAME) for the federation service name. For user certificate authentication on port 443, "certauth.<federation service name>" must be configured in DNS to resolve to the federation server or web application proxy. For device registration or for modern authentication to on premises resources using pre-Windows 10 clients, "enterpriseregistration.<upn suffix>", for each UPN suffix in use in your organization, must be configured to resolve to the federation server or web application proxy. ADFS seems to be a popular and common service that is load balanced by BigIP appliances, but doesn't the method we have to use in BigIP contradict the above MS recommendation? Or is there something happening behind the scene which is transforming the request or performing some other magic to essentially make it look like a non CNAME based request? I would be extremely grateful for any input, thoughts or ideas. Thank you2KViews0likes0CommentsOffice 365's new "Modern Auth"
Hi All, We've just heard a rumor that Microsoft have released a new authentication model for Office 365 which they are using with Exchange Online and Skype for Business to start with. Now we have been told that with this new authentication model that ADFS being fronted by APM for authentication/acting as an ADFS proxy is not and will not be supported due to the change in the way authentication works. From what we can tell, it will only break application clients (ActiveSync/Office/Skype) that aren't just a web page, but we really don't have much detail. Does anyone have any experience with Office 365 off-prem setups and the new Modern Authentication model? Can anyone confirm that it doesn't in fact work? Is there anyone from F5 who has advice on if it's on the road map for being fixed/addressed/investigated? Thanks in advanced.862Views0likes4CommentsAnyone tested F5 as a adfs proxy?
Hey, Currently we have deployed adfs using iApp template on our F5. Here F5 is just acting as reverse proxy and load balancing traffic between two of our adfs servers. Now we want to explore F5 as ADFS proxy option. Is anyone have worked on this or tested in LAB setup? Need your suggestions on this. I am very clear about configuration part. But need few more information like pros/cons of this deployment or anyone faced any kind of issues under this setup?812Views0likes5Comments