Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
code share

Microsoft Active Directory Federation Services (AD FS) iApp Template

Problem this snippet solves:

Use this iApp template for configuring standard load balancing, monitoring and TCP optimization for Microsoft Active Directory Federation Servers (AD FS and AD FS Proxy). If APM is provisioned, the template should support configuring pre-authentication for ADFS servers running in Windows Authentication mode. Minimum required BIG-IP version: 11.2.

If you are deploying APM for authentication proxy to AD FS services, you must enable Windows Authentication in the Intranet section of the AD FS Global Authentication Policy.

v1.2.0 iApps

v1.2.0rc1

Added support for ADFS 4.0

Made 49443 device registration/certificate authentication objects optional via a question.

Made ADFSPIP iRule automatic but only when APM set to yes.

Added support for an existing APM profile to be selected from within the iApp.

Added forms SSO for /adfs/ls endpoint into the iApp via a question

v1.2.0rc2

Fixed an "app_health__frequency variable not found" issue when using a custom monitor

Added support if a custom pool is chosen AND certificate authentication/device registration is set to yes to display an option for what pool to use for cert auth/device registration.(As the ports would be different)

v1.1.0 iApps

v1.1.0rc2

Added certificate auth objects(49443) and MS-ADFSPIP headers irule.

Added iRule to disable APM for MS Federation Gateway endpoint(s)

v1.0.0 iApps

v1.0.0rc1

Initial release.

v1.0.0rc2

Fixed an "iapp::template_start" error when importing the template.

v1.0.0rc3

Fixed a "runtime exceeded" error caused by incorrect syntax in external SNI monitor.

v1.0.0rc4

Corrected external monitor cURL command to fix issue with pool members being marked down incorrectly.

v1.0.0rc5

Added support for FastL4 deployment.

v1.0.0rc6

Fixed issue with broken APM Quick Start page previews.

v1.0.0rc7

Changes to external monitor script: removed verbose flag; corrected output redirection.

Fixed an issue with the associated cli script that could prevent users from importing iApp templates.

Official release of 1.0.0

The official F5 supported version of this iApp is now on downloads.f5.com. See https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17041.html for information. For the associated Deployment Guide, see http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf

Comments on this Snippet
Comment made 28-Apr-2015 by dkorenko 0
what happened to v1.0.0rc5? this was previously visible. Is there a reason why its been removed?
0
Comment made 29-Apr-2015 by mikeshimkus
It was removed by mistake. The updated template will be posted here ASAP.
0
Comment made 30-Apr-2015 by mikeshimkus
RC6 has been posted. If you see an "attachment not found" error, refresh the page.
0
Comment made 11-May-2015 by NDE 0
Has the RC6 been reposted ?
0
Comment made 03-Jun-2015 by Cory 168
Error when enabling APM option. Successfully executed after template was modified: (see line added below.) f5.microsoft_adfs.v1.0.0rc7 BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4 Error: "script did not successfully complete: (can't read "advanced": no such variable" proc configure_apm { } { tmsh::include f5.iapp.1.2.0.cli set app $tmsh::app_name # APM # AAA config # array keys: $advanced,$::apm__ad_secure <Added this line> set advanced [expr { [iapp_is ::basic__advanced "yes"] }] array set aaa_port {
0
Comment made 18-Jun-2015 by mikeshimkus
I don't get the same error when I try deploying with APM. Can you post the rest of the selections from your deployment, so we can try to replicate the error?
0
Comment made 10-Jul-2015 by Michael J. Prentice 1
I get teh same error above as Cory, same version of BIG-IP. Here is the full error returned, at least for me. script did not successfully complete: (can't read "advanced": no such variable while executing "subst $aaa_port($advanced,$::apm__ad_secure)" invoked from within "iapp_conf create ltm monitor ldap ${app}_ldap base \"$::apm__ad_tree\" chase-referrals yes debug no defaults-from ldap destination *:[subst $aaa_port(..." invoked from within "subst $aaa_monitor($::apm__ad_monitor)" invoked from within "iapp_conf create ltm pool ${app}_aaa [iapp_pool_members $::apm__active_directory_servers -port any -aaa_pool] load-balancing-mode "round-robin" mon..." invoked from within "subst $aaa_pool($multiple_ad)" invoked from within "iapp_conf create apm aaa active-directory ${app}_apm_aaa \{ admin-encrypted-password [expr { $credentials ? "[iapp_make_safe_password $::apm__active..." invoked from within "subst $substa_out" invoked from within "if { [info exists [set substa_in]] } { set substa_out [subst $$substa_in] set substa_out [subst $substa_out] } else { ..." ("uplevel" body line 3) invoked from within "uplevel { append ::substa_debug "\n$substa_in" if { [info exists [set substa_in]] } { set substa_out [subst $$substa_in] ..." (procedure "iapp_substa" line 9) invoked from within "iapp_substa aaa_server($do_new_aaa)" (procedure "configure_apm" line 40) invoked from within "configure_apm" (procedure "configure_adfs_deployment" line 230) invoked from within "configure_adfs_deployment" line:557)
0
Comment made 08-Jun-2018 by Simon 233

Hi

Has anyone come across an issue where, when you select to use an existing access policy the F5 doesn’t return the response to the client?

We have the iapp deployed on v11.4.1

If we select no apm, then disable strict updates and manually apply our existing AP it works!?!?

Any thoughts?

Cheers Simon

0
Comment made 05-Sep-2018 by Martin 0

Hello,

in my opinion the Network part "Which VLANs transport client traffic?" isn't working corretctly. If I'm selecting "no VLANs", no VLANS are slected in the Virtual Server, too. In the description is written:

"If you do not move any VLANs to the Selected box, the BIG-IP system accepts traffic from all VLANs" - That's wrong!

Further I can not add any Coonectivity Profile to the Virtual Server VLAN Section. The result is, that VPN Access to the VIP is not working.

Regards

Martin

0
Comment made 5 months ago by LRei76 79

Hi,

we have the same problem with the iApp. Vlan selection does not include connectivity profiles needed for vpn access. Moving no vlan into the box does only use 'all vlans' but not any cp.

Any chance for implementing the CPs to the selection?

Regards, Lars

0