APM as ADFS proxy in front of ADFS server 3.0 for O365
Problem this snippet solves: When deploying APM as ADFS proxy in front of ADFS server, there are some issues : user agent different than Internet Explorer are redirected to ADFS form based authentication after APM auth Logout URI is not managed by APM. users disconnected from Office 365 are not disconnected from APM users who are still authenticated on O365 but with expired session on APM are prompted to authenticate on APM when disconnecting from O365 When authentication fails, APM display logout page with redirect to /. when user authenticate next time, ADFS server respond with 404 error code. When User try to connect to access URI /, ADFS server respond with 404 error code. This irule change the APM behavior to optimize user experience. to solve HTTP error 404, user trying to access / or session denied are redirected to https://portal.office.com Note : Next step is to extract SAML relay state from request and redirect dynamically 404 error to relay state instead of fixed URL. How to use this snippet: Enable this irule on the virtual server. Code : when ACCESS_ACL_ALLOWED { # Change user-Agent to Internet Explorer 11 User-Agent HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7" # If authenticated request matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply" if { ([string tolower [HTTP::path]] equals "/adfs/ls/") && ([string tolower [URI::query [HTTP::uri] wa]] equals "wsignout1.0") } { set redirect_uri [URI::decode [URI::query [HTTP::uri] wreply]] ACCESS::session remove ACCESS::respond 302 noserver Location $redirect_uri return } } when ACCESS_SESSION_STARTED { # If new session matches ADFS SLO URI, close APM session and redirect to URI stored in query parameter "wreply" set landinguri [ACCESS::session data get session.server.landinguri] if { ([string tolower $landinguri] starts_with "/adfs/ls/") && ([string tolower [URI::query $landinguri wa]] equals "wsignout1.0") } { set redirect_uri [URI::decode [URI::query $landinguri wreply]] ACCESS::respond 302 noserver Location $redirect_uri ACCESS::session remove return } elseif {!([string tolower $landinguri] starts_with "/adfs/")} { ACCESS::respond 302 noserver Location "https://portal.office.com" ACCESS::session remove } } when ACCESS_POLICY_COMPLETED { if { ([ACCESS::policy result] equals "deny") } { ACCESS::respond 302 noserver Location "https://portal.office.com" ACCESS::session remove } } Tested this on version: 12.0
APM replacing ADFS proxy 3.0 : different behavior based on user agent value
Hi, I am deploying F5 APM as ADFS proxy using deployment guide v1.4. I configured AD auth and NTLM SSO. when authenticating with firefox, SSO does not work and ADFS server request form based authentication (it is my default test browser and I did not try with IE). I searched on devcentral if there is anything else to configure to support ADFS 3.0. I found this article about configuring form based authentication on ADFS server. To support ADFS proxy for any browser, I customized the irule provided in the deployment guide like that: when HTTP_REQUEST { set keepua 0 For external Lync client access all external requests to the /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI where appropriate HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]] Analyze the HTTP request and disable access policy enforcement WS-Trust calls if {[HTTP::uri] contains "/adfs/services/trust"} { ACCESS::disable set keepua 1 } OPTIONAL ---- To allow publishing of the federation service metadata if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} { ACCESS::disable set keepua 1 } if { !($keepua) } { HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7" } } it replace the client user agent by one supported by ADFS server for NTLM auth. Am I the first who get this error? is there a better solution to solve this issue? Regards, Stanislas
adfs 3.0 and APM O365
We are in the early stages of the design of an adfs 3.0 implementation, and we would like to use APM to provide the functionality of the adfs proxy in our dmz. According to this article https://devcentral.f5.com/articles/big-ip-and-adfs-part-2-ndash-ldquoapmndashan-alternative-to-the-adfs-proxyrdquo It should work. However this document says that ssl termination is not an option: https://blogs.technet.microsoft.com/applicationproxyblog/2014/07/04/ssl-termination-with-web-application-proxy-and-ad-fs-2012-r2/ It is still unclear to me regarding the full ecosystem, but from what I gather a sticking point might be activesync, as the authentication for activesync will be proxied from the cloud to our adfs, and a client certificate of o365 might need to be passed to the backend adfs servers. Can anyone speak of replacing the wap/adfs proxy in adfs 3.0 implementation with F5 apm, and any possible sticking points that they have experienced? Terry
ADFS 3.0 monitor for ADFS Proxy servers on LTM 11.6 HF3
We are load balancing ADFS 3.0 Proxy servers, but cannot get the monitor to work. The external script provided by F5 is as follows: !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE=`echo ${1} | sed 's/::ffff://'` if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/`basename ${0}`.sni_monitor_${HOST}_${PORT}_${NODE}_sni.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi curl-apd -k -v --resolve $HOST:$PORT:$NODE https://$HOST$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit I can ssh into the F5 and get a good response when I hard-code the values: config curl-apd -k -v --resolve adfs.abc.edu:443:10.255.200.201 https://adfs.abc.edu/FederationMetadata/2007-06/FederationMetadata.xml 2>&1 > /dev/null | grep -i "HTTP/1.1 200 OK" < HTTP/1.1 200 OK Is there a way on the command line to see what variables are actually being used or maybe a way to log their values? I wonder if it is not correctly pulling the $NODE or $PORT values. As an experiment I also changed [ $STATUS -eq 0 ] to [ $STATUS eq 0 ] just to see if the monitor would come up and that did not help either. Thanks, Rob
ADFS 3.0 nodes up/down
I am fairly new to the Big-IP platform, so forgive me if there is an obvious answer to this.... I am on 11.3 and attempting load balancing ADFS 3.0. I wasn't having luck with SNI monitor then I realized it's not supported fro 3.0 until 11.4.1. That being the case, I configured TCP monitors instead until we can upgrade to >11.4.1, hoping to get this working. I am still having issues, however. My nodes will appear online for a period of time and everything seems fine. Then they will go offline for awhile then back online again. Does any one have any suggestions? I am at a loss. Thanks Richie