F5 Networks make a great application delivery controller called BIG-IP also known as a load balancer. A feature of this platform is Access Policy Manager or APM for short. A licensed APM module gives you the ability to use the F5 appliances as a SSL vpn, application portal and front end proxy for various authentication. It really is quite powerful.

In today’s enterprise IT environment, pretty much everyone has a Microsoft Office 365 or Azure subscription, cloud man! Office 365 is pretty feature rich and cool to use. When you setup your on premises Active Directory environment for single sign on, you are required to install MS Active Directory Federation Services. Essentially this allows a user to login to your Windows domain and when they browse to O365 it will log them in automatically. OK pretty standard stuff.

We use the F5 APM webtop feature as an web application single sign on portal. Users can go to a URL anywhere they have Internet access and login to the SSO portal. The portal gives users the ability to change expired passwords as well, such is the power of F5 APM. Recently I integrated this feature with on premises ADFS and Office 365. We have direct icon links for the 365 Portal, Email and One Drive. Since the user is already authenticated against AD, the session can be used for 365. Let me show you how;

Before we start please note: Using a webtop with ADFS does not require you to have ADFS presented with an iapp on the F5. It just has to be on-net and accessible by the F5 self IP.

1. Under Access Policy > SSO Configurations > NTLMv1 > Create a NTLMv1 SSO Configuration as below:

2. Under Access Policy > Portal Access > Portal Access List > Create a new Portal Access List:

Set the application URI as follows (update your ADFS domain name obviously it’s not contoso).

Office 365 Portal:
https://adfs.contoso.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252FDefault.aspx%26lc%3D1033%26id%3D271345

Email (Outlook Online):
https://adfs.contoso.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps://outlook.office365.com

One Drive (edit the sharepoint URL to your own):
https://adfs.contoso.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps://contsocom-my.sharepoint.com

3. Add your ADFS server as the resource item. We are just going to pass through authentication and the user will redirect to the O365 service. Click the Add button and configure as below:

Configure host as your ADFS host name i.e adfs.contoso.com and SSO configuration as the item you created in step 1.

4. Add your Portal resource to your access profile for webtop configuration. This is completed in Access Policy > Access Profiles > Edit the policy with Visual Policy Editor.

5. Portal icons can be customized in Access Policy > Customization > General

6. ADFS requires that TLS server name indicator is set on all requests. Since we are using this with the APM webtop feature. You need to create an SSL server profile that sets the ADFS server SNI. Browse to Local Traffic > Profiles > SSL > Server. Create a new profile and select advanced. In the SNI field set the name to the ADFS server such as adfs.contoso.com.
Edit the APM virtual server under Local Traffic > Virtual Servers > Virtual Server List. Add the ssl server profile to selected.

7. An irule also needs to be created that is attached to the VIP that selects the server profile when the ADFS is accessed. Browse to Local Traffic > iRules. Below is an example.

when HTTP_REQUEST {
set sslProfile [getfield [HTTP::uri] ":" 1] }

when SERVER_CONNECTED {
if { $sslProfile starts_with “/f5-w-68747470733a2f2f616466732e636f6e746f736f2e636f6d$$/” } { #log local0. “One $sslProfile”
SSL::profile adfs-contoso }
}

Apply this iRule as a resource to your APM portal virtual server.

8. You must add the adfs server URLs to your rewrite profile that is applied to the APM portal virtual server. Add both URLs – for example:
https://adfs.contoso.com/*
https://adfs.contoson.com:443/*

So there you have it; smart linking Office 365 apps with an F5 APM webtop via ADFS.