ADFS WAP behind Azure Application Gateway

Some time ago i wrote up a post (located here) explaining how you can setup traffic manager with ADFS and have proper monitoring of the service. Today i will go over how to setup ADFS behind the Azure Application Gateway. This will enable you to protect your ADFS service and monitor it with the WAF provided by the application gateway.

Before we begin one prerequisite which i am still not sure if its really needed but i had problems and i believe this fixed it:

You need to set the default HTTPS Binding, i believe this is required as i am not sure if the health probe is truly SNI compliant, i might be wrong here but it doesn’t hurt to set this. To set it you simply need to run the following command on the WAP servers (just change the cert hash):

Ones that’s done create a Application gateway in Azure and do the following:

1. Create a Frontend listener with thew following settings:
   • HTTPS Protocol
   • Listen on port 443
   • Multi-Site type, you can do basic but that will limit your application gateway to only the ADFS service for port 443
   • Provide a PFX file of your ADFS certificate. make sure you include the private key and a strong password
2. Create a Health Probe with thew following settings (just change the host):
   • 
   • The path (so you can copy and paste): /adfs/ls/IdpInitiatedSignOn.aspx
3. Create a HTTP Setting with thew following settings
   • HTTPS Protocol
   • Cookie based affinity: Disabled (you really don’t need that for ADFS)
   • Port 443
   • Export your ADFS certificate as a base 64 format (do not include the private key) and add it.
   • Tick the “Custom probe” and select the probe we created earlier
4. Create a Backendpool which includes all your WAP servers
5. Crete a Basic Rule using the objects created earlier.

And that’s it, this is not only a secure solution but it will give you a proper monitoring of both the WAP and ADFS servers. Works great with loadbalancing between on-prem and Azure.