A little while ago I wrote about impersonating Web Application Proxy to AD FS with KEMP’s simple header modification.
Since writing the blog in LinkedIn, I’ve received some queries whether this works when you wan’t to process advanced AD FS claim rules, for example based on the forwarded client IP?
While documentation available don’t state it’s possible, you can actually do it, by going bit beyond the normal specification with header injections.
Behind the scenes
AD FS host is expecting ’X-MS-Forwarded-Client-IP’ header from KEMP. If this header is not present in the request, and ’X-MS-PROXY’ is it will just assume client is from extranet – In this scenario you can’t use any advanced claim rules in AD FS, that would use the Public forwarded from client.
As you all might know, its pretty standard stuff to include the ’X-Forwarded-For’ header to requests terminated in the edge, then re-encrypted to back-end. Well… 🙂 we are going to use the same logic here, just apply it in a bit different way.
- Ask KEMP to add ’X-Forwarded-For (+ Via)’ in ’Add HTTP Headers’
- Ask KEMP to Copy ’X-Forwarded-For (+ Via)’ to header ’X-MS-Forwarded-Client-IP’
Now forwarded Client IP’s are part of the requests, and can be applied in advanced claim rules.
In the example, I’ve set AD FS to bypass MFA for Partner IP, if Partner user terminates from certain Public IP . This all works now courtesy of header modification provided by KEMP
Hope this helps somebody substituting WAP with KEMP
Paluuviite: Cheat sheet: AD FS and Azure AD Hybrid Conditional Access | SecureCloudBlog