We have successfully deployed ADFS v4 + WAP (on-prem Windows server 2016) and we are publishing SharePoint 2016, Skype for Business and also using ADFS as an IDP to access a quite few cloud based applications with SAML.
Now, in order to have SharePoint 2016 working properly, we have published it as "non-claims-aware" and it is using Kerberos-Windows integrated authentication instead and we have NO issues.
You probably are aware that if we publish SharePoint as a "Claims-aware" we will encounter issues with people picker, searches, etc. that don't work properly and in order to address some of these issues we need to deploy third party claims provider app: LDAPCP and MS clearly states "LDAPCP isn't a Microsoft product and isn't supported by Microsoft Support" -https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/implement-saml-based-authentication-in-sharepoint-server. So, this configuration was a No go for our production environment.
Moving forward to 2021, we need enhance security in our ADFS deployment so we are looking for different ways to protect our ADFS+WAP environment and so far the only way we found and it is published on MS site as well, is that we can replace the WAP role for 2 third party solutions:
- F5 BigAP (APM+LTM) or
- Citrix ADC (premium license), both solutions will add load balancing, WAF, etc. .
So far, this is looking great! BUT, here is our huge headache: Which of these 2 applications has still the option to keep using "non-claims-aware\Kerberos authentication" to publish applications???? or Does MS has another way/workaround to add all these security features (WAF, ddos protection, LB, etc.). into an ADFS+WAP farm.
Thanks and I look forward to hearing from you.