F5 and WIF

Hi t,

 

 

Have you been able to analyze the traffic with HTTPWatch, Fiddler, or something of the like to verify that the STS is providing a cookie with the token to the client and the client is including the cookie when it connects to the service? Additionally, I would check:

 

 

* Verify the trust relationship between the IDP and RP;

 

 

* Reconfigure the RP to use SSL as well as the IDP & RP, (I think you mentioned it is listening on port 80). I know the RP and IDPs require SSL, not sure the target service does but worth a try.

 

 

* Check the persistence method on the Big-IP(s). If they are configured to use cookie persistence, try switching to another method, (source based perhaps) and test. The persistence cookie may be causing an conflict.

 

 

I have performed setups of ADFS servers, (both IDP and RP roles), as well as ADFS enabled web apps behind Big-IPs. I've used both SSL tunneling, (SSL pass-through) and SSL bridging, (SSL decryption and re-encrytion at the Big-IP) for both the connectin to the IDP/RP and web servers. However, I have not used SSL offloading, (decrypting SSL traffic and passing in to web servers on http.

 

 

If you are still having issues can you get a copy, (or screenshot) of the Big-IP virtual server configs?

 

 

 

Thanks,

 

 

Greg Coward

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Thanks for responding. I was actually able to resolve this. Turns out the web application itself was forcing https. Since we were attempting to run port 80, with encryption/decryption at the F5, it kept getting redirected back out to the F5. We have (temporarily) disabled encryption/decription at the F5 and have configured the web sites for 443.

 

 

There were other things we needed to do to get WIF working with F5 (moving to RSA, etc.), but this particular issue was not WIF-related.