Module: Deploy ADFS Proxy Services¶

Change Client to Point at BIG-IP ADFS Proxy Virtual Server¶

1. Double click the BIG-IP ADFS Load Balancer desktop shortcut

2. You should see that the HOSTS file now points ADFS at the load balancing virtual server (which is not yet created)

3. Close any open Chrome incognito windows
4. Open a new Chrome window if not already open
5. Right click the “ADFS Demo App” shortcut and open a new incognito window
   1. It should fail because you cannot access ADFS through the BIG-IP until you deploy the configuration.
   2. If it is still working, you may need to close Chrome and/or retry the HOSTS file shortcut.

Deploy ADFS iApp for ADFS Proxy (with MS-ADFSPIP support)¶

1. Open the BIG-IP configuration interface
2. Open iApps -> Application Services -> Applications
3. Click Create

Accept all default values except for those listed below.

4. Name: adfs-proxy
5. Template: f5.microsoft_adfs.v1.2.0rc7
6. Access Policy Manager (BIG-IP APM)
   1. Would you like to configure BIG-IP as an ADFS Proxy?
      1. Yes, configure BIG-IP as an ADFS Proxy
   2. What is the account to be used for establishing proxy trust with ADFS?
      1. admin@f5demo.com
   3. What is the password associated with that account?
      1. admin

Establishing trust with ADFS requires username in UPN or domain\username format. This is true whether in the iApp or establishing trust manually.

7. SSL Encryption
   1. Which SSL certificate do you want to use?
      1. internal-vlab.f5demo.com.crt
   2. Which SSL private key do you want to use?
      1. internal-vlab.f5demo.com.key

Note that this time we are doing SSL Bridging. This is required for the ADFS Proxy. Client certificate authentication can still be performed because BIG-IP supports MS-ADFSPIP.

8. High Availability

   1. What IP address do you want to use for the virtual server?

      1. 10.1.10.100

      10.1.10.x is the external/DMZ network in this environment. Notice this is .10 not .20 this time.

1. Which FQDN will clients use to access AD FS?
   1. adfs.vlab.f5demo.com
2. Which servers should be included in this pool?
   1. 10.1.20.6
   2. Click Add
   3. 10.1.20.7
3. What Trusted CA would you like to use to validate the client certificate chain presented during certificate authentication?
   1. F5demo-DC-CA.crt

This is the AD Certificates Services CA certificate for this environment that was used to issue the client certificates so that the client certificate auth can be verified. It was pre-imported for you.

9. Click Finished

Test the ADFS Proxy Forms Authentication Functionality¶

1. Close any open Chrome incognito windows
2. Open a new Chrome window if not already open
3. Right click the “ADFS Demo App” shortcut and open a new incognito window

If you do not get the ADFS logon page noted below wait 60-120 seconds for the ADFS servers to sync and try again. If you are still getting the error you may have cache problems. Double check that you have closed all other incognito windows before trying this, and you can clear cache and cookies by performing ctrl+shift+del and selecting “all time”.

1. This time instead of automatically authenticating with Windows Integrated Authentication you are presented with a forms login page. This is because ADFS is configured to require Forms auth for external users.
   1. Username: user@f5demo.com
   2. Password: user
   3. Click Sign In

1. You should see a set of claims displayed in the claims app at app.vlab.f5demo.com

1. Note that ADFS now identifies the user as outside the corporate network, knows that APM acted as an ADFS Proxy, knows the user’s true IP address, and that the user is now logging in with FormsAuthentication instead of WindowsAuthentication.
2. What happened:
   1. You made a request to App
   2. App redirected you to ADFS for authentication
   3. The BIG-IP received the request and load balanced it to one of the ADFS servers, as well as communicated data about the traffic using MS-ADFSPIP.
   4. The ADFS server determined that you should be authenticated using the extranet policy and sent back a logon page which the BIG-IP forwarded on to you.
   5. You submitted the forms and ADFS authenticated with your credentials
   6. ADFS redirected you back to App with a WS-Fed assertion
   7. App validated the assertion and displayed the claims it received from ADFS

Test the ADFS Proxy Certificate Authentication Functionality¶

1. Close any open Chrome incognito windows
2. Open a new Chrome window if not already open
3. Right click the “ADFS Demo App” shortcut and open a new incognito window

1. Click Sign in using an X.509 certificate

1. Note that you can configure ADFS extranet authentication settings to perform certificate authentication automatically. The ADFS server in this lab is setup to allow both forms and certificate authentication.

1. The certificate is already selected, click OK.

1. You should see a set of claims displayed in the claims app at app.vlab.f5demo.com

1. Note that ADFS now ADFS has identified the authentication type as CertificateAuthentication
2. What happened:
   1. You made a request to App
   2. App redirected you to ADFS for authentication
   3. The BIG-IP received the request and load balanced it to one of the ADFS servers, as well as communicated data about the traffic using MS-ADFSPIP.
   4. The ADFS server determined that you should be authenticated using the extranet policy and sent back a logon page which the BIG-IP forwarded on to you.
   5. You selected the Certificate Authentication, which caused you to be redirected to port 49443 where the BIG-IP performed certificate authentication
   6. BIG-IP forwarded on details about your authentication using MS-ADFSPIP to the ADFS server
   7. ADFS redirected you back to App with a WS-Fed assertion
   8. App validated the assertion and displayed the claims it received from ADFS

Review the ADFS Proxy Configuration¶

1. Go to Local Traffic -> Virtual Servers

2. Notice there are two adfs-proxy virtual servers deployed, one on port 443 and one on port 49443

   1. 443 is for ADFS traffic
      1. Pool members use port 443
   2. 49443 is for client certificate auth support
      1. Pool members use port 443
         1. This is different from the load balancing only, which pointed to port 49443. This is because the certificate auth is not passing through, BIG-IP is performing the certificate auth, then sending the data along to ADFS using MS-ADFSPIP.
   1. Click on the virtual server adfs-proxy_adfs_vs_443
      1. Scroll down and examine the Access Policy -> ADFS Proxy configuration item
         1. Note that ADFS Proxy functionality is enabled and a trust is established. The BIG-IP will auto-renew this prior to expiration.
         2. Note that no Access Profile is deployed. You can add one if desired for additional security. The iApp is capable of deploying it, along with the required bypass iRule for some URLs like the metadata sharing URL.
   2. Go to Local Traffic -> Profiles -> SSL -> Server and click adfs-proxy_server-ssl
      1. Note that a certificate and key are used on the server side. These are created as part of establishing the trust with the ADFS server as noted in the previous step and then automatically input here.
      2. This is shared by both the 443 and the 49443 virtual servers because they need the same settings to communicate with ADFS.
   3. Change configuration mode to advanced
      1. Note that the server name field contains adfs.vlab.f5demo.com. ADFS requires SNI and this is how you configure it on the serverssl profile.
   4. Go to Local Traffic -> Profiles -> SSL -> Client and click adfs-proxy_client-ssl-cert-auth
      1. This is the SSL profile that provides certificate auth on the port 49443 virtual server.
      2. Note that Client Certificate is set to required and the Trusted Certificate Authorities is set to f5demo-DC-CA.
      3. You could use Advertised Certified Authority here if you wanted the client to only display certificates generated by a specific CA. This could be your primary CA, or even a specific subordinate CA if you wanted to issue client certificate auth user certificates from a specific CA to reduce the number shown to the user.