As I can not find this information in a single place, I registered just to add it to save the next person some grief.
It is possible to run a Server 2016 ADFS infrastructure behind an Nginx load balancer (side note: it is possible to do this in two hours flat when you find out you somehow accidentally upgraded said ADFS infrastructure from 2.0 to 4.0 because of a typo and watched your TMG fall apart). The trick is simple enough - the ADFS server expects server name indication (SNI) in the protocol.
We are using this for Adobe Creative Cloud, Google gSuite, and a number of smaller SAML compliant services. This isn't passing every URL through to ADFS, but you will need to check your own endpoint requirements to handle any outliers.
For completeness sake: Ubuntu 16.04.2 LTS installing nginx/1.10.0 (Ubuntu) from the default apt repositories.
The load balancing is handled by an upstream block:
upstream adfsservers {
server adfs01.dev.internal:443;
server adfs02.dev.internal:443;
}
The server block is a little bit "different". I believe that this could be done with hostname specific forwarding (in which case you just pass the entire location / to the upstream) but I've done it with location blocks because (as I said in my aside) I was looking for quick and working, rather than trying to dissect the various howtos and bits of documentation on hostname based upstreams. Now that I've got it working, it shouldn't be too hard to move to the hostname model.
Below is my server block. The source IP address (from the point of view of the ADFS farm) for the Nginx unit is 10.10.10.10. The location / block is because of the aforementioned unexpected upgrade - so I'm pushing everything else to the existing Threat Management Gateway at the 172.16.1.1 address.
Please note that if you decide to use this config "as is" - NTLM authentication will not work through to the TMG. As I understand it you'll need to use the non-free version of Nginx to handle that.
server {
listen 443 ssl default_server http2;
ssl_certificate /etc/nginx/ssl/wildcard.chain.pem;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
proxy_ssl_session_reuse off;
proxy_buffering off;
ssl_session_cache off; # Part of me questions this, but it's in my live and I haven't turned it on to test yet.
location /federationmetadata {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location /adfs {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
proxy_ssl_name $host;
proxy_set_header Host $host;
proxy_pass https://172.16.1.1;
}
}
Everything about this could probably be enhanced, or at the least condensed. I leave it here simply to share that yes, it is possible to do this with ADFS 4.0 or ADFS 2016 and hopefully save others the trouble of looking quite so hard for what was going on. Finally, sorry about the formatting, too new to the forums to know how to format a code block properly!
It is possible to run a Server 2016 ADFS infrastructure behind an Nginx load balancer (side note: it is possible to do this in two hours flat when you find out you somehow accidentally upgraded said ADFS infrastructure from 2.0 to 4.0 because of a typo and watched your TMG fall apart). The trick is simple enough - the ADFS server expects server name indication (SNI) in the protocol.
We are using this for Adobe Creative Cloud, Google gSuite, and a number of smaller SAML compliant services. This isn't passing every URL through to ADFS, but you will need to check your own endpoint requirements to handle any outliers.
For completeness sake: Ubuntu 16.04.2 LTS installing nginx/1.10.0 (Ubuntu) from the default apt repositories.
The load balancing is handled by an upstream block:
upstream adfsservers {
server adfs01.dev.internal:443;
server adfs02.dev.internal:443;
}
The server block is a little bit "different". I believe that this could be done with hostname specific forwarding (in which case you just pass the entire location / to the upstream) but I've done it with location blocks because (as I said in my aside) I was looking for quick and working, rather than trying to dissect the various howtos and bits of documentation on hostname based upstreams. Now that I've got it working, it shouldn't be too hard to move to the hostname model.
Below is my server block. The source IP address (from the point of view of the ADFS farm) for the Nginx unit is 10.10.10.10. The location / block is because of the aforementioned unexpected upgrade - so I'm pushing everything else to the existing Threat Management Gateway at the 172.16.1.1 address.
Please note that if you decide to use this config "as is" - NTLM authentication will not work through to the TMG. As I understand it you'll need to use the non-free version of Nginx to handle that.
server {
listen 443 ssl default_server http2;
ssl_certificate /etc/nginx/ssl/wildcard.chain.pem;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;
proxy_ssl_session_reuse off;
proxy_buffering off;
ssl_session_cache off; # Part of me questions this, but it's in my live and I haven't turned it on to test yet.
location /federationmetadata {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location /adfs {
proxy_ssl_server_name on;
proxy_ssl_name adfs.example.com;
proxy_pass https://adfsservers;
proxy_set_header Host adfs.example.com;
proxy_set_header X-MS-Proxy 10.10.10.10;
proxy_http_version 1.1;
proxy_redirect off;
}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_ssl_server_name on;
proxy_ssl_name $host;
proxy_set_header Host $host;
proxy_pass https://172.16.1.1;
}
}
Everything about this could probably be enhanced, or at the least condensed. I leave it here simply to share that yes, it is possible to do this with ADFS 4.0 or ADFS 2016 and hopefully save others the trouble of looking quite so hard for what was going on. Finally, sorry about the formatting, too new to the forums to know how to format a code block properly!