Manual Chapter : APM as an Active Directory Federation Services (AD FS) Proxy

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.0.1, 14.0.0
Manual Chapter

APM as an Active Directory Federation Services (AD FS) Proxy

About APM support for AD FS proxy

Access Policy Manager (APM®) follows the Microsoft specification
[MS-ADFSPIP]: Active Directory Federation Services and Proxy Integration Protocol
so that APM can replace Microsoft Web Application Proxy (WAP) in the role of AD FS proxy. This includes enabling APM to be configured for client and device certificate authentication to AD FS. On top of that, APM can secure browser access to AD FS with an access policy.

AD FS versions that APM supports as an AD FS proxy

Access Policy Manager (APM®) can act as an AD FS proxy for AD FS versions 3.0 (on Windows Server 2012 R2) and 4.0 (on Windows Server 2016).

Overview: Configuring APM as an AD FS proxy

You can register Access Policy Manager (APM) with Microsoft Active Directory Federation Services (AD FS) as an AD FS proxy. Your remote users then go through APM before reaching the AD FS server or AD FS farm.

Configuring a pool of AD FS servers

You configure a pool with an AD FS server or with members of an AD FS farm for use with Access Policy Manager (APM) as an AD FS proxy.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pools list screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a name for the pool.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    The pool name is limited to 63 characters.
  4. In the Resources area in the
    New Members
    setting, add an ADFS server or add the ADFS servers for the ADFS farm that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. In the
      Service Port
      field, type
      443
      , which is the default; otherwise, type the port number configured for the ADFS server.
    3. Click
      Add
      .
  5. Click
    Finished
    .

Create a Client SSL profile

You create a Client SSL profile when you want the BIG-IP system to authenticate and decrypt/encrypt client-side application traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. Configure all profile settings as needed.
  4. Click
    Finished
    .
After creating the Client SSL profile and assigning the profile to a virtual server, the BIG-IP system can apply SSL security to the type of application traffic for which the virtual server is configured to listen.

Configuring a server SSL profile for AD FS proxy

To complete this task, you need to know the FQDN for the AD FS server.
You configure a server SSL profile for use in a configuration where Access Policy Manager (APM) acts as an AD FS proxy.
When you enable trust between a virtual server and an AD FS server, APM generates a certificate of trust and a key and attaches them to the server SSL profile used on the virtual server. If you use a server SSL profile that already has a certificate attached to it, this action will detach the existing certificate and attach a newly generated self-signed certificate to the profile. The previously attached certificate is not deleted from the BIG-IP system.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Configuration
    list, select
    Advanced
    .
  5. Select the
    Custom
    check box.
    The settings become available for change.
  6. In
    Server Name
    , type the FQDN for the AD FS server.
  7. Click
    Finished
    .

Configuring a virtual server for AD FS proxy

To complete this task, you need to know the service port used on your AD FS server. The default port is 443, but yours might be different.
You configure a virtual server for AD FS proxy to process traffic going to an AD FS server or AD FS farm.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the
    Create
    button.
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type the IP address that you want to use for the virtual server.
    For external users, the FQDN for the AD FS server should resolve into this IP address.
  5. For
    Service Port
    , type the port number that's used on the AD FS server.
  6. From the
    HTTP Profile
    list, select
    http
    .
  7. For the
    SSL Profile (Client)
    setting, move the client SSL profile you configured previously to the
    Available
    list.
  8. For the
    SSL Profile (Server)
    setting, move the server SSL profile you configured previously to the
    Available
    list.
  9. In the Access Policy area, for
    ADFS Proxy
    , select the
    Enabled
    check box.
  10. In the Resources area, from the
    Default Pool
    list, select the name of the pool that you created previously.
  11. Click
    Finished
    .
    The virtual server list displays.

Registering APM as an AD FS proxy

To complete this task, you must know the username and password for a local administrator account on the AD FS server.
You establish trust between a virtual server and an AD FS server so that your remote users can go through Access Policy Manager (APM) before reaching the AD FS server or AD FS farm.
If using redundant systems where the main system failed, trust cannot be established from the standby system; it fails with the error
Failed to establish ADFS trust relationship on the virtual server /Common/adfs_vs: Can't connect to ADFS
.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. Scroll to the Access Policy area.
  4. For
    ADFS Proxy
    :
    1. If the
      Enabled
      check box is cleared, select it.
    2. Click the
      Establish Trust
      button.
    3. In the
      Username
      and
      Password
      fields, type the credentials of a local administrator account on the AD FS server.
      APM uses the credentials while establishing trust, but does not store them.
      The AD FS server dictates the format for the user name.
    4. In
      Certificate Name
      , type a name.
      APM generates a self-signed certificate with this name, while establishing trust.
    5. Click
      OK
      .
    On success, a trust certificate name and expiration details display; otherwise, the message that APM receives from the AD FS server displays.
On success, APM adds the newly generated trust certificate and key to the server SSL profile for this virtual server. Any previously attached certificate and key are detached from the server SSL profile, but remain on the system. APM periodically renews the trust certificate.

Overview: Using alternate port for client certificate authentication (AD FS 3.0 or 4.0)

On an AD FS server, client certificate authentication enables a user to authenticate using, for example, a smart card. If your AD FS server (version 3.0 or 4.0) is configured to support client certificate authentication using an alternate port, you can use this implementation to enable an Access Policy Manager (APM) AD FS proxy to provide the same support.
If you have not already done so, configure APM as an AD FS proxy.

Configuring a client SSL profile

You configure a client SSL profile with
Client Certificate
set to
require
to support client certificate authentication in some cases.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  5. From
    Client Certificate
    list, select
    require
    .
  6. Configure other profile settings as needed.
  7. Click
    Finished
    .

Configuring a virtual server for client certificate authentication with AD FS proxy

Before you start this task, gather this information:
  • The service port that the AD FS server uses for certificate authentication. By default, it's 49443, but yours could be different.
  • The server SSL profile name and the pool name used by the virtual server that is already configured to serve as the AD FS proxy.
You configure a virtual server to support client certificate authentication on the AD FS proxy when the AD FS server provides this support using an alternate port.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the
    Create
    button.
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type the IP address that you want to use for the virtual server.
    For external users, the FQDN for AD FS should resolve into this IP address.
  5. For
    Service Port
    , type the port number that's used for certificate authentication on the AD FS server.
  6. From the
    HTTP Profile
    list, select
    http
    .
  7. For the
    SSL Profile (Client)
    setting, move the client SSL profile you recently configured to the
    Selected
    list.
  8. For the
    SSL Profile (Server)
    setting, select the name of the server SSL profile that's used on the AD FS proxy virtual server and move it to the
    Selected
    list.
  9. In the Access Policy area, for
    ADFS Proxy
    , select the
    Enabled
    check box.
    You do not need to establish trust between this virtual server and the ADFS server. This virtual server uses the trust certificate that was generated on the other AD FS proxy-enabled virtual server.
  10. In the Resources area, from the
    Default Pool
    list, select the name of the pool that's used on the AD FS proxy virtual server.
  11. Click
    Finished
    .

Overview: Using alternate hostname for client certificate authentication (AD FS 4.0)

On an AD FS server, client certificate authentication enables a user to authenticate using, for example, a smart card. If your AD FS server (version 4.0) is configured to support client certificate authentication using an alternate hostname, you can use this implementation to enable an Access Policy Manager (APM) AD FS proxy to provide the same support.
If you have not already done so, configure APM as an AD FS proxy.

Creating a client SSL profile for client certificate authentication on the AD FS proxy

When the external AD FS server supports client certificate authentication using an alternate hostname, you can configure a client SSL profile to support client certificate authentication on Access Policy Manager (APM) as an AD FS proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Configuration
    list, select
    Advanced
    .
  5. Select the
    Custom
    check box.
  6. In the
    Server Name
    field, type
    certauth.
    ADFSFQDN
    where
    ADFSFQDN
    is the FQDN for the AD FS server.
  7. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  8. From
    Client Certificate
    list, select
    require
    .
  9. Configure other profile settings as needed.
  10. Click
    Finished
    .

Adding a client SSL profile to the AD FS proxy

You add a client SSL profile to the virtual server that is configured as the AD FS proxy to support client certificate authentication.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the custom Client SSL profile you previously created, and move it to the
    Selected
    list.
  4. Click
    Finished
    .

Overview: Configuring APM to support AD F5 device registration (Workplace Join)

You can configure Access Policy Manager (APM®) to proxy device certificate authentication for devices that have already registered with AD FS for Microsoft Workplace Join.

Task summary

Importing a certificate from AD FS

Before you start this task, you must have the MS-Organization-Access certificate exported from the AD FS server. The certificate is located in the
AdfsTrustedDevices
folder of Local Computer certificate storage.
You import the MS-Organization-Access certificate to the BIG-IP system to support device registration through the AD FS proxy.
  1. On the Main tab, click
    System
    Certificate File Management
    Traffic Certificate Management
    SSL Certificate List
    .
    The SSL Certificate List screen opens.
  2. Click the
    Import
    button.
  3. From the
    Import Type
    list, select
    Certificate
    .
  4. For the
    Certificate Name
    setting:
    • If you are importing a new certificate, select
      Create New
      and type a unique name in the field.
    • If you are replacing an existing certificate, select
      Overwrite Existing
      and select a certificate name from the list.
  5. For the
    Certificate Source
    setting, select
    Upload File
    and browse to select the certificate you obtained from the vendor.
  6. Click
    Import
    .

Updating the client SSL profile for the AD FS proxy

Before you start this task, you need to know the name of the client SSL profile used on the virtual server that processes traffic as the AD FS proxy.
You update the client SSL profile to enable device certificate authentication through the AD FS proxy.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click the name of the profile that you want to modify.
  3. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  4. For
    Client Certificate
    , select the default value
    ignore
    .
  5. For
    Trusted Certificate Authorities
    and
    Advertised Certificate Authorities
    , select the previously imported "MS-Organization-Access" certificate.
  6. Click
    Update
    .

Creating a server SSL profile for AD FS device registration

To enable device registration through Access Policy Manager (APM) to AD FS (version 3.0), you need an additional server SSL profile with the settings specified in these steps.
You only need to create a server SSL profile for ADFS 3.0 on Windows Server 2012 R2.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Server SSL profile list screen opens.
  2. Click
    Create
    .
    The New Server SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Configuration
    list, select
    Advanced
    .
  5. Select the
    Custom
    check box.
  6. In the
    Server Name
    field, type
    enterpriseregistration.
    domainname
    where
    domainname
    is the domain name for the AD FS server.
    By default, the
    Default SSL Profile for SNI
    check box is cleared. Be sure to leave it that way.
  7. Click
    Finished
    .
You need the name of this server SSL profile to configure the iRule that's specified in a subsequent step.

Overview: Supporting device registration through the proxy to AD FS 3.0

On an AD FS server, device registration enables Microsoft Workplace Join. If you have AD FS version 3.0, you can use this implementation to enable Access Policy Manager (APM®) to support device registration.
If you have not already done so, configure APM as an AD FS proxy. Then complete these tasks.

Task summary

Creating a client SSL profile for AD FS device registration

To enable device registration through Access Policy Manager (APM) to AD FS (version 3.0), you need an additional client SSL profile with the settings specified in these steps.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client SSL profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Configuration
    list, select
    Advanced
    .
  5. Select the
    Custom
    check box.
  6. In the
    Server Name
    field, type
    enterpriseregistration.
    domainname
    where
    domainname
    is the domain name for the AD FS server.
    By default, the
    Default SSL Profile for SNI
    check box is cleared. Be sure to leave it that way.
  7. Next to Client Authentication, select the
    Custom
    check box.
    The settings become available.
  8. From
    Client Certificate
    list, select
    ignore
    .
  9. Click
    Finished
    .

Creating an iRule to support AD FS device registration

You configure this iRule to support device registration to AD FS version 3.0 through the AD FS proxy.
  1. On the Main tab, click
    Local Traffic
    iRules
    .
    The iRule List screen opens, displaying any existing iRules.
  2. Click
    Create
    .
    The New iRule screen opens.
  3. In the
    Name
    field, type a unique name for the iRule.
    The full path name of the iRule cannot exceed 255 characters.
  4. In the
    Definition
    field, type this text, making sure to replace
    enterprisereg-serverssl
    with the name of the server SSL profile you created previously.
    when HTTP_REQUEST { set useEnterpriseRegProfile [expr { [string tolower [HTTP::host]] starts_with "enterpriseregistration." }] } when SERVER_CONNECTED { if { $useEnterpriseRegProfile == 1 } { SSL::profile
    enterprisereg-serverssl
    } }
    For complete and detailed information about iRules syntax, see the F5 DevCentral web site
    http://devcentral.f5.com
    .
  5. Click
    Finished
    .
    The new iRule appears in the list of iRules on the system.

Updating a virtual server for AD FS device registration

You add more SSL profiles and an iRule to the virtual server that has established trust with AD FS version 3.0 to support device registration through the AD FS proxy.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the custom Client SSL profile you previously created, and move it to the
    Selected
    list.
  4. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the name of the custom Server SSL profile you previously created, and move it to the
    Selected
    list.
  5. Click
    Finished
    .
  6. Once again, click the name of the virtual server.
  7. On the menu bar, click
    Resources
    .
  8. In the iRules area, click the
    Manage
    button.
  9. For the
    iRule
    setting, move the iRule that you configured previously to the
    Enabled
    list.
  10. Click
    Finished
    .

Overview: Securing browser access to AD FS with an access policy

To secure browser access to AD FS with an access policy, complete these tasks.
If you have not already configured Access Policy Manager (APM®) as an AD FS proxy, do so before you continue.

Configuring forms client-initiated SSO for AD FS

To support this configuration, make sure that the
Extranet
zone setting is configured to
Forms Authentication
only on the AD FS server.
You create a forms client-initiated SSO configuration with these settings when you want to secure browser access through Access Policy Manager (APM) as an AD FS proxy.
  1. On the Main tab, click
    Access
    Single Sign-On
    Forms - Client Initiated
    .
    The Forms - Client Initiated screen opens.
  2. Click
    Create
    .
    A Create New Forms-Client Initiated Configuration popup screen opens.
  3. In
    SSO Configuration Name
    , type a name.
  4. On the left, click
    Form Settings
    .
    New settings display on the right.
  5. Click
    Create
    .
    Another popup screen, Create New Form Definition, opens.
  6. In
    Form Name
    , type a name.
  7. On the left, click
    Request Detection
    and on the right in
    Request URI
    , type
    /adfs/ls
    .
  8. On the left, click
    Form Identification
    .
    1. On the right, from
      Identify Form by
      , select
      ID Attribute
      .
    2. In
      Form ID
      , type
      loginForm
      .
  9. On the left, click
    Form Parameters
    .
    You'll create two form parameters.
  10. On the right, click
    Create
    .
    1. For
      Form Parameter Name
      , type
      Password
      .
      The user interface might attempt to replace
      Password
      with
      password
      ; do not allow this. Case is important.
    2. For
      Form Parameter Value
      , type
      %{session.sso.token.last.password}
      .
    3. For
      Secure
      , select
      Yes
      .
    4. Click
      OK
      .
  11. On the right, click
    Create
    .
    1. For
      Form Parameter Name
      , type
      UserName
      .
      The user interface might attempt to replace
      UserName
      with
      username
      ; do not allow this. Case is important.
    2. For
      Form Parameter Value
      , type
      %{session.sso.token.last.username}
      .
    3. For
      Secure
      , retain the default value,
      No
      .
    4. Click
      OK
      .
  12. On the left, click
    Logon Detection
    .
    1. From
      Detect Login by
      , select
      Presence of Cookie
      .
    2. In
      Cookie Name
      , type
      MSISAuth
      .
    3. Click
      OK
      .
      The Create New Form Definition popup screen closes.
  13. Click
    OK
    .
    The Create New Form-Client Initiated Configuration popup screen closes. The new SSO configuration displays in the list.

Configuring an access profile for the AD FS proxy

You create an access profile so that you can add an SSO configuration to the AD FS proxy.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    An access profile name must be unique among all per-session profile and per-request policy names.
  4. From
    Profile Type
    , select
    All
    .
  5. Scroll to the SSO Across Authentication Domains (Single Domain mode) area.
  6. From
    SSO Configuration
    , select the SSO configuration that you created previously.
  7. Click
    Finished
    .

Configuring an access policy for AD FS

To use an access policy to secure browser access through the AD FS proxy, you configure an access policy that authenticates users and supports SSO for them.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. Add a Logon Page to the policy.
    1. Click the
      (+)
      icon anywhere in the policy to add a new action item.
    2. On the Logon tab, select
      Logon Page
      and click the
      Add Item
      button.
      The Logon Page Agent properties screen opens.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  5. Add Active Directory authentication to the policy.
    1. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    2. On the Authentication tab, select
      AD Auth
      and click
      Add Item
      .
      A properties screen opens.
    3. From
      Server
      , select an Active Directory server to use for authentication.
    4. Click
      Save
      .
      The properties screen closes. The policy displays.
  6. Add SSO Credential Mapping to the policy.
    1. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    2. On the Assignment tab, select
      SSO Credential Mapping
      and click
      Add Item
      .
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  7. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.
To put the SSO configuration and the access policy into effect, add the access profile to the virtual server that established trust with AD FS and functions as the AD FS proxy.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that Access Policy Manager can apply the profile to incoming traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  4. Click
    Update
    to save the changes.
Your access policy is now associated with the virtual server.