The BIG-IP with APM has now become SAML, (claims) aware! “SAML” not “self-aware”. No need to start worrying about Skynet and Arnold Schwarzenegger kicking in your door, (except for you Sarah Connor). This is a good thing! If you need to federate your organization with Office 365, this is a very good thing.

iapp_thumb
With the release of ver. 11.3, BIG-IP with APM, (Access Policy Manager) now includes full SAML support on the box. What does that mean? Well, rather than relying upon an external resource such as ADFS to issue or security tokens, (used to present/consume claims with a federation partner), the BIG-IP becomes the federation endpoint for the organization. Check out here for more information on federation.
When it comes to Office 365, not only has the infrastructure required to federate your organization been dramatically reduced, the configuration required has been simplified. Available in our community codeshare forum is an iApp as well as guidance specifically designed for deploying the BIG-IP as a federation IdP, (identity provider) for Office 365. Now federating with Office 365 is as simple as answering a few questions and entering a few PowerShell commands to configure the Office 365 side.
To gain a better understanding of how we arrived here, (replacing ADFS), as well as illustrating the benefit let’s take a look at the “Evolution of Solution”…development.

Saying Goodbye to ADFS

Ensuring a Highly Available Architecture

Throughout this series, (links below), we’ve taken a look at how the F5 BIG-IP can add value and enhance to and
ADFS, (Active Directory Federation Services).
To get the ball rolling we looked at how the BIG-IP was able to provide for a highly-available and scalable ADFS infrastructure, (refer to Figure 1). This included ensuring the ADFS proxy farm, located in the perimeter network, as well as the internal ADFS farm was available and the traffic is optimized.

BIG-IP enhancements to the ADFS federation process:

Intelligent traffic management

• Advanced L7 health monitoring – (Ensures the ADFS service is responding)

• Cookie-based persistence

adfs1_1_thumb8

adfs2_2_thumb6

Enhancing Security and Streamlining ADFS

Building upon the previous solution, (load balancing the ADFS and ADFS Proxy layers), we implemented APM, (Access Policy Manager), (refer to Figure 2). By implementing APM on the F5 appliance(s) we not only eliminated the need for these additional servers but, by implementing pre-authentication at the perimeter and advanced features such as client-side checks, (antivirus validation, firewall verification, etc.), arguably provided for a more secure deployment.

Additional BIG-IP enhancements to the ADFS federation process:

Enhanced Security

•Variety of authentication methods

•Client endpoint inspection

•Multi-factor authentication

•Improved User Experience

•SSO across on-premise and cloud-based applications

•Single-URL access for hybrid deployments

•Simplified Architecture

•Removes the ADFS proxy farm layer as well as the need to load balance the proxy farm

Eliminating the ADFS Infrastructure

Available with version 11.3, APM includes full SAML support. This allows the BIG-IP to not only authenticate the client connections with Active Directory, but act as the IdP or SP in the federation process. No longer will an organization be required to deploy an ADFS infrastructure for federation. Rather, the BIG-IP’s role as an application delivery controller is expanded out to include cloud-based resources, (including Office 365), as well as on-premise applications.

Additional BIG-IP enhancements to the ADFS federation process:

•Ability to act as IDP, (Identity Provider) for access to external claims-based resources including Office 365

•Act as service provider, (SP) to facilitate federated access to on-premise applications

•Streamlined architecture, (no need for the ADFS architecture)

•Simplified iApp deployment

Figure 3 shows a typical Office 365 client access process utilizing APM and SAML.

adfs3_3_thumb6

Additional Links:

Big-IP APM as SAML 2.0 IdP from Microsoft Office 365

SAML Federation with the BIG-IP

Big-IP and ADFS Part 1 – “Load balancing the ADFS Farm”

Big-IP and ADFS Part 2 – “APM–An Alternative to the ADFS Proxy”

Big-IP and ADFS Part 3 – “ADFS, APM, and the Office 365 Thick Clients”

Big-IP and ADFS Part 4 – “What about Single Sign-Out?”

BIG-IP Access Policy Manager (APM) Wiki Home - DevCentral Wiki

 

Latest F5 Information

Comments on this Article
Comment made 21-Oct-2014 by scottm 1
Just a note that (at least as of Oct 2014) Lync, Excel, Word, etc cannot authenticate using SAML, so you still need ADFS.
-1
Comment made 5 months ago by Shingo Yamada 0
0