F5 APM /w ADFS login page
Hi all, I'm fairly new to working with APM (and ADFS/SAML in general) so I was wondering if someone could help me figure out what I'd need to accomplish the following: APM Policy: Start -> ADFS login page (note 1) -> MFA verification (note 2) -> Assign SSO properties -> Allow The stumbling block I'm currently at is I don't know how to configure either ADFS, or APM, to present the ADFS authentication portal for APM. Any hints or resources that can be used to accomplish this would be greatly appreciated! Notes: 1: The ADFS login page, not the APM login page. Our CIO specially wants the ADFS login page to be our only authentication portal. 2: We are using DUO for MFA; I'm guessing there's a way to pull the necessary information on to some sort of landing page in order to accomplish this, like in the example that DUO gives for working with APM
[SAML] APM as SP with ADFS as IdP, Assertion info not found
Hi, i've configured an APM as SP (TMOS v12.1.2 HF1) and i use an external IdP (ADFS). The configuration is correct, i've follow the manual Using APM as a SAML Service Provider After configured the SP and imported the metadata from IdP, i've exported the metadata and imported into ADFS. If i try to authenticate, i the POST to ADFS and the POST to APM but, after this post i receive an error and my access policy terminate with DENY. If i see the logs on APM, i see only this error: Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "SamlSPAgentexecuteInstance()" line: 1115 Msg: Matched idp connector name: /Common/my_IDP Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "SamlSPAgentexecuteInstance()" line: 1116 Msg: Doing SAML SP Initiated Auth: / Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: ./AccessPolicyProcessor/SessionState.h func: "clearTempSessionAgentState()" line: 110 Msg: Agent did not initiated the scheduled agent Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 532 Msg: Let's evaluate rules, total number of rules for this action=2 Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 538 Msg: Rule to evaluate = "expr {[mcget {session.saml.last.result}] == 1}" Oct 6 11:14:34 BIG-IP-F5-1 debug apmd[22385]: 01490000:7: AccessPolicyProcessor/AccessPolicy.cpp func: "execute()" line: 538 Msg: Rule to evaluate = "" Oct 6 11:14:34 BIG-IP-F5-1 err apmd[22385]: 0149020f:3: /Common/WebAPP:Common:83748128: SAML Agent: /Common/WebAPP_act_saml_auth_ag cannot find assertion information in SAML request The SSO and APMD log var is set to DEBUG. i have the trace taken by SAML TRACKER (FF plugin) and seems corrects (correct entity ID, correct Assertion, Correct cert used for signing, ecc..) The only thing that i see different from the "web example" is the missing prefix in XML Tags: ... https://*** *** ..... In examples, i've always seen the prefix saml: How can i do to troubleshoot better this issue? Is necessary the prefix in SAML Response? Any response will be greatly appreciated. Thanks, Regards, S
ADFS Proxy balancing with LTM and Advanced WAF, without APM
Looking to do a new F5 configuration to load balance and protect with Advanced WAF a pair of existing Office 365 ADFS Proxy servers running the 2019 version. I see that F5 is no longer supporting iApps for Office 365. The new supported configuration seems to be using Guided Configuration. All articles I've found so far, recquire using APM. The 'F5 appliances we can use are running version 15.1.x and don't have APM, only LTM and Advanced WAF. Is there an official supported solution to do ADFS Proxy (version 2019 or later) load balancing with Advanced WAF protecions? If there isn't, should we still use the last version of the iApp Templates instead?SSL Bridging and X fwd for ADFS
We currently have a VIP configured for external ADFS that is doing SSL passthrough. We are trying to utilize the X Forwarded for header with SSL bridging however during our change neither the SSL bridging or the x forwarded for option was sucessfull. When applying either or both config that traffic would fail and the web page would show page unreachable. Does anyone have any expereience with this type of change
How to create an APM policy for on-prem application that uses SAML
Hello, I would like some guide on how to configure and APM policy and SSO. Basicalli, present a portal to force authentication when accessing https://mysite.example.com for example https://mysite.example.com is an on-prem application which is configure for ADFS saml authentication on an external IdP. Before putting an APM policy the traffic flow goes as follows. User access https://mysite.example.com (this app is behind f5 LTM) mysite.example.com redirects user to authenticate to myadfs.example.com and gets prompted by ADFS for username and password. myadfs.example.com authenticates and redirects back to mysite.example.com User is able to access mysite.example.com. After adding APM policy the traffic flow goes as follows. User access https://mysite.example.com (this app is behind f5 LTM) F5 presents a prompt for username and password (AD authentication) User is successful authenticated. Access is granted to https://mysite.example.com mysite.example.com redirects user to authenticate to myadfs.example.com ("AGAIN", can this be prevented since they already authenticated) and gets prompted by ADFS for username and password. myadfs.example.com authenticates and redirects back to mysite.example.com User is able to access mysite.example.com. Any advice really appreciated. Python datetime (With Examples)ADFS load balancing using CNAME record but against MS guide lines?
We would like to load balance our ADFS using our BigIP load balancer. I'm not a networking guy or expert on BigIP so forgive me for any omissions/inaccuracies. The standard practice to load balance any Windows based service is to: Create a subzone of your DNS domain zone in question, e.g. lb.contoso.com Make the LBs authorative for this zone (i.e. they become the name servers) Within your contoso.com DNS zone, create a CNAME record of adfs.contoso.com mapping it to adfs.lb.contoso.com And finally configure your nodes inside BigIP However, MS explcitly state not to create a CNAME record for ADFS (and some other services too). Here is the snippet from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-requirements (AD FS 2016 Requirements). It says (see line in bold): DNS Requirements For intranet access, all clients accessing AD FS service within the internal corporate network (intranet) must be able to resolve the AD FS service name to the load balancer for the AD FS servers or the AD FS server. For extranet access, all clients accessing AD FS service from outside the corporate network (extranet/internet) must be able to resolve the AD FS service name to the load balancer for the Web Application Proxy servers or the Web Application Proxy server. Each Web Application Proxy server in the DMZ must be able to resolve AD FS service name to the load balancer for the AD FS servers or the AD FS server. This can be achieved using an alternate DNS server in the DMZ network or by changing local server resolution using the HOSTS file. For Windows Integrated authentication, you must use a DNS A record (not CNAME) for the federation service name. For user certificate authentication on port 443, "certauth.<federation service name>" must be configured in DNS to resolve to the federation server or web application proxy. For device registration or for modern authentication to on premises resources using pre-Windows 10 clients, "enterpriseregistration.<upn suffix>", for each UPN suffix in use in your organization, must be configured to resolve to the federation server or web application proxy. ADFS seems to be a popular and common service that is load balanced by BigIP appliances, but doesn't the method we have to use in BigIP contradict the above MS recommendation? Or is there something happening behind the scene which is transforming the request or performing some other magic to essentially make it look like a non CNAME based request? I would be extremely grateful for any input, thoughts or ideas. Thank you
Office 365's new "Modern Auth"
Hi All, We've just heard a rumor that Microsoft have released a new authentication model for Office 365 which they are using with Exchange Online and Skype for Business to start with. Now we have been told that with this new authentication model that ADFS being fronted by APM for authentication/acting as an ADFS proxy is not and will not be supported due to the change in the way authentication works. From what we can tell, it will only break application clients (ActiveSync/Office/Skype) that aren't just a web page, but we really don't have much detail. Does anyone have any experience with Office 365 off-prem setups and the new Modern Authentication model? Can anyone confirm that it doesn't in fact work? Is there anyone from F5 who has advice on if it's on the road map for being fixed/addressed/investigated? Thanks in advanced.Anyone tested F5 as a adfs proxy?
Hey, Currently we have deployed adfs using iApp template on our F5. Here F5 is just acting as reverse proxy and load balancing traffic between two of our adfs servers. Now we want to explore F5 as ADFS proxy option. Is anyone have worked on this or tested in LAB setup? Need your suggestions on this. I am very clear about configuration part. But need few more information like pros/cons of this deployment or anyone faced any kind of issues under this setup?
ADFS Proxy- first time setup
Very new to ADFS and SAML especially with dealing with the F5. I have business case to add ADFS to one of my current setups. My organization has ADFS setup and i have a few questions for the community. Do i first connect and test the application with our current ADFS setup to make sure it can work? Once the ADFS has been tested and working, do i then try to do ADFS proxy withthe setup? or do i skip step 1 and just start with the ADFS proxy first and try to get that to work with the application? I have seen a few online labs for ADFs proxy etc... but just wondering what the community thinks? looking to have it setup like this: User -> F5 (VIP with login portal) -> sends info to ADFS -> ADFS sends token to F5 -> traffic goes to VPN tunnel to actual portal -> accepts the ADFS token -> User is logged into the service. trying to keep the initial traffic going down the tunnel first and getting redirected back to the F5 for authentication.Authenticate APM Network Access Policy with ADFS
I am struggling to understand the instructions to configure the authentication method for an APM VPN Network Access Policy and ADFS. We have an HA pair that is not licensed for LTM so I cannot use the iApp, I just upgraded the pair to 14.1.2 and am looking at this guide: https://techdocs.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-1-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_Access_Policy_Manager__Authentication_and_Single_Sign-On.pdf Instead of pointing to our internal AD servers I would like to point to our public ADFS domain, is this possible?
