Manual Chapter : APM as an Active Directory Federation Services AD FS Proxy

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

APM as an Active Directory Federation Services (AD FS) Proxy

About APM support for AD FS proxy

Access Policy Manager (APM) follows the Microsoft specification [MS-ADFSPIP]: Active Directory Federation Services and Proxy Integration Protocol so that APM can replace Microsoft Web Application Proxy (WAP) in the role of AD FS proxy. This includes enabling APM to be configured for client and device certificate authentication to AD FS. On top of that, APM can secure browser access to AD FS with an access policy.

AD FS versions that APM supports as an AD FS proxy

Access Policy Manager (APM) can act as an AD FS proxy for AD FS versions 3.0 (on Windows Server 2012 R2) and 4.0 (on Windows Server 2016).

Overview: Configuring APM as an AD FS proxy

You can register Access Policy Manager (APM) with Microsoft Active Directory Federation Services (AD FS) as an AD FS proxy. Your remote users then go through APM before reaching the AD FS server or AD FS farm.

Configuring a pool of AD FS servers

You configure a pool with an AD FS server or with members of an AD FS farm for use with Access Policy Manager (APM) as an AD FS proxy.
  1. On the Main tab, click Local Traffic > Pools .
    The Pools list screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a name for the pool.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    Important: The pool name is limited to 63 characters.
  4. In the Resources area in the New Members setting, add an ADFS server or add the ADFS servers for the ADFS farm that you want to include in the pool:
    1. Type an IP address in the Address field, or select a node address from the Node List.
    2. In the Service Port field, type 443, which is the default; otherwise, type the port number configured for the ADFS server.
    3. Click Add.
  5. Click Finished.

Create a Client SSL profile

You create a Client SSL profile when you want the BIG-IP system to authenticate and decrypt/encrypt client-side application traffic.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. Configure all profile settings as needed.
  4. Click Finished.
After creating the Client SSL profile and assigning the profile to a virtual server, the BIG-IP system can apply SSL security to the type of application traffic for which the virtual server is configured to listen.

Configuring a server SSL profile for AD FS proxy

To complete this task, you need to know the FQDN for the AD FS server.
You configure a server SSL profile for use in a configuration where Access Policy Manager (APM) acts as an AD FS proxy.
Note: When you enable trust between a virtual server and an AD FS server, APM generates a certificate of trust and a key and attaches them to the server SSL profile used on the virtual server. If you use a server SSL profile that already has a certificate attached to it, this action will detach the existing certificate and attach a newly generated self-signed certificate to the profile. The previously attached certificate is not deleted from the BIG-IP system.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. From the Configuration list, select Advanced.
  5. Select the Custom check box.
    The settings become available for change.
  6. In Server Name, type the FQDN for the AD FS server.
  7. Click Finished.

Configuring a virtual server for AD FS proxy

To complete this task, you need to know the service port used on your AD FS server. The default port is 443, but yours might be different.
You configure a virtual server for AD FS proxy to process traffic going to an AD FS server or AD FS farm.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type the IP address that you want to use for the virtual server.
    Note: For external users, the FQDN for the AD FS server should resolve into this IP address.
  5. For Service Port, type the port number that's used on the AD FS server.
  6. From the HTTP Profile (Client) list, select a previously-created HTTP/2 profile for client-side traffic.
  7. For the SSL Profile (Client) setting, move the client SSL profile you configured previously to the Available list.
  8. For the SSL Profile (Server) setting, move the server SSL profile you configured previously to the Available list.
  9. In the Access Policy area, for ADFS Proxy, select the Enabled check box.
  10. In the Resources area, from the Default Pool list, select the name of the pool that you created previously.
  11. Click Finished.
    The virtual server list displays.

Registering APM as an AD FS proxy

To complete this task, you must know the username and password for a local administrator account on the AD FS server.
You establish trust between a virtual server and an AD FS server so that your remote users can go through Access Policy Manager (APM) before reaching the AD FS server or AD FS farm.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. Scroll to the Access Policy area.
  4. For ADFS Proxy:
    1. If the Enabled check box is cleared, select it.
    2. Click the Establish Trust button.
    3. In the Username and Password fields, type the credentials of a local administrator account on the AD FS server.
      Important: APM uses the credentials while establishing trust, but does not store them.
      The AD FS server dictates the format for the user name.
    4. In Certificate Name, type a name.
      APM generates a self-signed certificate with this name, while establishing trust.
    5. Click OK.
    On success, a trust certificate name and expiration details display; otherwise, the message that APM receives from the AD FS server displays.
On success, APM adds the newly generated trust certificate and key to the server SSL profile for this virtual server. Any previously attached certificate and key are detached from the server SSL profile, but remain on the system. APM periodically renews the trust certificate.

Overview: Using alternate port for client certificate authentication (AD FS 3.0 or 4.0)

On an AD FS server, client certificate authentication enables a user to authenticate using, for example, a smart card. If your AD FS server (version 3.0 or 4.0) is configured to support client certificate authentication using an alternate port, you can use this implementation to enable an Access Policy Manager (APM) AD FS proxy to provide the same support.

If you have not already done so, configure APM as an AD FS proxy.

Configuring a client SSL profile

You configure a client SSL profile with Client Certificate set to require to support client certificate authentication in some cases.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Next to Client Authentication, select the Custom check box.
    The settings become available.
  5. From Client Certificate list, select require.
  6. Configure other profile settings as needed.
  7. Click Finished.

Configuring a virtual server for client certificate authentication with AD FS proxy

Before you start this task, gather this information:
  • The service port that the AD FS server uses for certificate authentication. By default, it's 49443, but yours could be different.
  • The server SSL profile name and the pool name used by the virtual server that is already configured to serve as the AD FS proxy.
You configure a virtual server to support client certificate authentication on the AD FS proxy when the AD FS server provides this support using an alternate port.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type the IP address that you want to use for the virtual server.
    For external users, the FQDN for AD FS should resolve into this IP address.
  5. For Service Port, type the port number that's used for certificate authentication on the AD FS server.
  6. From the HTTP Profile (Client) list, select a previously-created HTTP/2 profile for client-side traffic.
  7. For the SSL Profile (Client) setting, move the client SSL profile you recently configured to the Selected list.
  8. For the SSL Profile (Server) setting, select the name of the server SSL profile that's used on the AD FS proxy virtual server and move it to the Selected list.
  9. In the Access Policy area, for ADFS Proxy, select the Enabled check box.
    Note: You do not need to establish trust between this virtual server and the ADFS server. This virtual server uses the trust certificate that was generated on the other AD FS proxy-enabled virtual server.
  10. In the Resources area, from the Default Pool list, select the name of the pool that's used on the AD FS proxy virtual server.
  11. Click Finished.

Overview: Using alternate hostname for client certificate authentication (AD FS 4.0)

On an AD FS server, client certificate authentication enables a user to authenticate using, for example, a smart card. If your AD FS server (version 4.0) is configured to support client certificate authentication using an alternate hostname, you can use this implementation to enable an Access Policy Manager (APM) AD FS proxy to provide the same support.

If you have not already done so, configure APM as an AD FS proxy.

Creating a client SSL profile for client certificate authentication on the AD FS proxy

When the external AD FS server supports client certificate authentication using an alternate hostname, you can configure a client SSL profile to support client certificate authentication on Access Policy Manager (APM) as an AD FS proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Configuration list, select Advanced.
  5. Select the Custom check box.
  6. In the Server Name field, type certauth. ADFSFQDN where ADFSFQDN is the FQDN for the AD FS server.
  7. Next to Client Authentication, select the Custom check box.
    The settings become available.
  8. From Client Certificate list, select require.
  9. Configure other profile settings as needed.
  10. Click Finished.

Adding a client SSL profile to the AD FS proxy

You add a client SSL profile to the virtual server that is configured as the AD FS proxy to support client certificate authentication.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the SSL Profile (Client) setting, from the Available list, select the name of the custom Client SSL profile you previously created, and move it to the Selected list.
  4. Click Finished.

Overview: Configuring APM to support AD F5 device registration (Workplace Join)

You can configure Access Policy Manager® (APM®) to proxy device certificate authentication for devices that have already registered with AD FS for Microsoft Workplace Join.

Task summary

Importing a certificate from AD FS

Before you start this task, you must have the MS-Organization-Access certificate exported from the AD FS server. The certificate is located in the AdfsTrustedDevices folder of Local Computer certificate storage.
You import the MS-Organization-Access certificate to the BIG-IP system to support device registration through the AD FS proxy.
  1. On the Main tab, click System > Certificate File Management > Traffic Certificate Management > SSL Certificate List .
    The SSL Certificate List screen opens.
  2. Click the Import button.
  3. From the Import Type list, select Certificate.
  4. For the Certificate Name setting:
    • If you are importing a new certificate, select Create New and type a unique name in the field.
    • If you are replacing an existing certificate, select Overwrite Existing and select a certificate name from the list.
  5. For the Certificate Source setting, select Upload File and browse to select the certificate you obtained from the vendor.
  6. Click Import.

Updating the client SSL profile for the AD FS proxy

Before you start this task, you need to know the name of the client SSL profile used on the virtual server that processes traffic as the AD FS proxy.
You update the client SSL profile to enable device certificate authentication through the AD FS proxy.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click the name of the profile that you want to modify.
  3. Next to Client Authentication, select the Custom check box.
    The settings become available.
  4. For Client Certificate, select the default value ignore.
  5. For Trusted Certificate Authorities and Advertised Certificate Authorities, select the previously imported "MS-Organization-Access" certificate.
  6. Click Update.

Creating a server SSL profile for AD FS device registration

To enable device registration through Access Policy Manager (APM) to AD FS (version 3.0), you need an additional server SSL profile with the settings specified in these steps.
Note: You only need to create a server SSL profile for ADFS 3.0 on Windows Server 2012 R2.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    The Server SSL profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Configuration list, select Advanced.
  5. Select the Custom check box.
  6. In the Server Name field, type enterpriseregistration. domainname where domainname is the domain name for the AD FS server.
    By default, the Default SSL Profile for SNI check box is cleared. Be sure to leave it that way.
  7. Click Finished.
You need the name of this server SSL profile to configure the iRule that's specified in a subsequent step.

Overview: Supporting device registration through the proxy to AD FS 3.0

On an AD FS server, device registration enables Microsoft Workplace Join. If you have AD FS version 3.0, you can use this implementation to enable Access Policy Manager® (APM®) to support device registration.

If you have not already done so, configure APM as an AD FS proxy. Then complete these tasks.

Task summary

Creating a client SSL profile for AD FS device registration

To enable device registration through Access Policy Manager (APM) to AD FS (version 3.0), you need an additional client SSL profile with the settings specified in these steps.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Configuration list, select Advanced.
  5. Select the Custom check box.
  6. In the Server Name field, type enterpriseregistration. domainname where domainname is the domain name for the AD FS server.
    By default, the Default SSL Profile for SNI check box is cleared. Be sure to leave it that way.
  7. Next to Client Authentication, select the Custom check box.
    The settings become available.
  8. From Client Certificate list, select ignore.
  9. Click Finished.

Creating an iRule to support AD FS device registration

You configure this iRule to support device registration to AD FS version 3.0 through the AD FS proxy.
  1. On the Main tab, click Local Traffic > iRules .
    The iRule List screen opens, displaying any existing iRules.
  2. Click Create.
    The New iRule screen opens.
  3. In the Name field, type a unique name for the iRule.
    The full path name of the iRule cannot exceed 255 characters.
  4. In the Definition field, type this text, making sure to replace enterprisereg-serverssl with the name of the server SSL profile you created previously.
      when HTTP_REQUEST {
             set useEnterpriseRegProfile [expr {
                 [string tolower [HTTP::host]] starts_with "enterpriseregistration." }]
         }
         when SERVER_CONNECTED {
             if { $useEnterpriseRegProfile == 1 } {
                 SSL::profile enterprisereg-serverssl
             }
         }
    For complete and detailed information about iRules syntax, see the F5 DevCentral web site http://devcentral.f5.com.
  5. Click Finished.
    The new iRule appears in the list of iRules on the system.

Updating a virtual server for AD FS device registration

You add more SSL profiles and an iRule to the virtual server that has established trust with AD FS version 3.0 to support device registration through the AD FS proxy.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the SSL Profile (Client) setting, from the Available list, select the name of the custom Client SSL profile you previously created, and move it to the Selected list.
  4. For the SSL Profile (Server) setting, from the Available list, select the name of the custom Server SSL profile you previously created, and move it to the Selected list.
  5. Click Finished.
  6. Once again, click the name of the virtual server.
  7. On the menu bar, click Resources.
  8. In the iRules area, click the Manage button.
  9. For the iRule setting, move the iRule that you configured previously to the Enabled list.
  10. Click Finished.

Overview: Securing browser access to AD FS with an access policy

To secure browser access to AD FS with an access policy, complete these tasks.

Note: If you have not already configured Access Policy Manager® (APM®) as an AD FS proxy, do so before you continue.

Task summary

Configuring forms client-initiated SSO for AD FS

To support this configuration, make sure that the Extranet zone setting is configured to Forms Authentication only on the AD FS server.
You create a forms client-initiated SSO configuration with these settings when you want to secure browser access through Access Policy Manager (APM) as an AD FS proxy.
  1. On the Main tab, click Access > Single Sign-On > Forms - Client Initiated .
    The Forms - Client Initiated screen opens.
  2. Click Create.
    A Create New Forms-Client Initiated Configuration popup screen opens.
  3. In SSO Configuration Name, type a name.
  4. On the left, click Form Settings.
    New settings display on the right.
  5. Click Create.
    Another popup screen, Create New Form Definition, opens.
  6. In Form Name, type a name.
  7. On the left, click Request Detection and on the right in Request URI, type /adfs/ls.
  8. On the left, click Form Identification.
    1. On the right, from Identify Form by, select ID Attribute.
    2. In Form ID, type loginForm.
  9. On the left, click Form Parameters.
    You'll create two form parameters.
  10. On the right, click Create.
    1. For Form Parameter Name, type Password.
      The user interface might attempt to replace Password with password; do not allow this. Case is important.
    2. For Form Parameter Value, type %{session.sso.token.last.password}.
    3. For Secure, select Yes.
    4. Click OK.
  11. On the right, click Create.
    1. For Form Parameter Name, type UserName.
      The user interface might attempt to replace UserName with username; do not allow this. Case is important.
    2. For Form Parameter Value, type %{session.sso.token.last.username}.
    3. For Secure, retain the default value, No.
    4. Click OK.
  12. On the left, click Logon Detection.
    1. From Detect Login by, select Presence of Cookie.
    2. In Cookie Name, type MSISAuth.
    3. Click OK.
      The Create New Form Definition popup screen closes.
  13. Click OK.
    The Create New Form-Client Initiated Configuration popup screen closes. The new SSO configuration displays in the list.

Configuring an access profile for the AD FS proxy

You create an access profile so that you can add an SSO configuration to the AD FS proxy.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all per-session profile and per-request policy names.
  4. From Profile Type, select All.
  5. Scroll to the SSO Across Authentication Domains (Single Domain mode) area.
  6. From SSO Configuration, select the SSO configuration that you created previously.
  7. Click Finished.

Configuring an access policy for AD FS

To use an access policy to secure browser access through the AD FS proxy, you configure an access policy that authenticates users and supports SSO for them.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On a policy branch, click the (+) icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. Add a Logon Page to the policy.
    1. Click the (+) icon anywhere in the policy to add a new action item.
    2. On the Logon tab, select Logon Page and click the Add Item button.
      The Logon Page Agent properties screen opens.
    3. Click Save.
      The properties screen closes. The policy displays.
  5. Add Active Directory authentication to the policy.
    1. On a policy branch, click the plus symbol (+) to add an item to the policy.
    2. On the Authentication tab, select AD Auth and click Add Item.
      A properties screen opens.
    3. From Server, select an Active Directory server to use for authentication.
    4. Click Save.
      The properties screen closes. The policy displays.
  6. Add SSO Credential Mapping to the policy.
    1. On a policy branch, click the plus symbol (+) to add an item to the policy.
    2. On the Assignment tab, select SSO Credential Mapping and click Add Item.
    3. Click Save.
      The properties screen closes. The policy displays.
  7. Click the Apply Access Policy link to apply and activate the changes to the policy.
To put the SSO configuration and the access policy into effect, add the access profile to the virtual server that established trust with AD FS and functions as the AD FS proxy.

Adding the access profile to the virtual server

You associate the access profile with the virtual server so that the system can apply the profile to incoming traffic.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. Click Update to save the changes.
Your access policy is now associated with the virtual server.