Identity Federation and SSO for Microsoft and F5 Customers
Buiding on our momentum from Microsoft Ignite in September, there is cause for merriment for those of you using Microsoft Active Directory Federation Services (AD FS). I am sensing disbelief, but read on, I promise the is joy afoot.
What’s the big deal about AD FS? As you likely picked up from the title, AD FS is the Microsoft solution to implement identity federation and single sign-on (SSO) from the corporate network to intranet, extranet and cloud applications. This means that users can use their corporate login information to access applications outside of the organization. For example, AD FS enables your users to log in from the Microsoft/Windows environment and have seamless access to Office 365 and external applications like Salesforce or Box.
You’re probably thinking that enterprises have been doing this for years, this isn’t exciting. Where is the joy you promised? We’re getting to it, hang in there. Those familiar deploying AD FS are also likely familiar with Microsoft Web Application Proxy (WAP). WAP is Microsoft’s gateway product to allow external access to internal (behind the firewall) applications, like AD FS for example. WAP has specific support for AD FS using Active Directory Federation Services and Proxy Integration Protocol (MS-ADFSPIP, in what is sure to be the longest acronym appearing in this blog). This protocol enables the required mutual certificate-based authentication and the exchange of specific information between the AD FS server and the WAP.
External users must go through the WAP to access AD FS. WAP runs on Windows servers. This is the part that adds complexity and cost. These systems typically need to be load balanced and highly configured for security because they are exposed to the open internet, and you may need many of them for scale.
Here’s the good part: F5 has enabled the F5 BIG-IP platform to support MS-ADFSPIP, and it is the first non-Microsoft product to do so. What does this mean? F5 BIG-IP with the Access Policy Manager (APM) can replace the WAP servers and the load balancers that support them. You can proxy AD FS with a secure solution that was designed to be exposed to the internet. With F5 as the AD FS proxy, you can reduce the number of servers in the DMZ, simplify the deployment, scale faster, and still have full support for MS-ADFSPIP.
You can check out the Microsoft Ignite session where Microsoft’s Samuel Devasahayan, Principal Group Program Manager - Identity Division, reveals the exciting news here. You can almost hear the tears of joy falling.