ADFS for SSO authentication against multiple domains

I am looking to create a tiered server structure for SSO authentication that spans multiple domains.  None of the domains will be in the same forest nor will there be domain trusts established.  However, the plan is that ADFS will be configured at each domain to allow trusted communication for user authentication.

I am very new to ADFS but I do have a test environment working with a top-level ADFS domain to a mock service provider (also ADFS).  I would like to extend the setup so a "2nd-tier level" (or 3rd-tier, etc.) domain with ADFS can be connected to the top-level domain so a user can visit the portal page at the top-level but to use credentials at a domain at "level" and can be authenticated to the service provider.

I would like to know if AD and ADFS is the proper technology to use to accomplish this.  And assuming so, if there are some resources I can be directed towards to help me set that up to get it to work.   Or if AD and ADFS is not a technology that can accomplish this goal, what recommendations do the experts have?
AndyBoellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
I am not sure what is your question is about.

can you give me a technical example on what you want ?
further what you going to achieve with this design?

for example, you have a user   USERA@example.com
what do you mean 2nd/3rd-tier level, do you mean Usera@second.example.com  usera@third.example.com ?


how do a user normally access thier AD information?
0
AndyBoellAuthor Commented:
Sure.

I have the top tier domain: user@first.com
Then I will have multiple second tier domains: user@secondA.com, user@secondB.com, etc.
Then I will have multiple third tier domains: user@thirdA1.com, user@thirdA2.com, user@thirdB1.com, user@thirdB2.com, etc., where the @thirdA1.com and @thirdA2.com domains are linked through the @secondA.com domain.
The goal is to have a connection so that a user from any of the domains can go to the IdP portal page associated with @first.com domain, enter in their local credentials (such as user@thirdA1.com or user@secondB.com, etc.) and be authenticated.

None of the domains will be child-domains or will have any domain trusts established.

Our goal is to have 1 main top level domain, 5 second tier domains, and up to 85 third tier domains all linked together so any user at any level can visit the top level domain and authenticate using local credentials.  

The reason for this layout is to have a single portal page for authentication and a single point to then make the necessary connections to the service providers, while permitting the local domain administrators to manage their accounts like normal.  Those local domains will reside in their respective local networks and can only be connected over the Internet.

I believe it can be done using SAML, but I was looking to do this with just ADFS instead.

Thoughts or suggestions?
0
Jian An LimSolutions ArchitectCommented:
Okay. I assume of the 2nd tier and 3rd tier domain have their own ADFS servers with them?

if this is the case, then it is possible, it is called Federated Web SSO.

you just need to tell your portal where to redirect them to authenticate.

https://technet.microsoft.com/en-au/library/dd807050.aspx

p/s: make sure you also read the implementation plan
https://technet.microsoft.com/en-au/library/dd807066.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AndyBoellAuthor Commented:
Thanks.  I'll read up on those tomorrow.

And yes, the plan is for the 2nd and 3rd tier domains to have their own ADFS servers.

So if using Federated Web SSO and the redirection will redirect them to their own portal page to authenticate or is the redirection occurring behind the scenes when they enter in their credentials on the top-tier portal page?  This matters because there will be users who will need to authenticate from outside their company network from non-domain tied machines.
0
Jian An LimSolutions ArchitectCommented:
for high level level, once the user put in their email address, ADFS server will know that they can't do authentication locally. then it will look up their system to see where their authentication server located.
Usually, it is sts.<domain>.com (not always but mostly). then depends on where they come from, if domain joined, they can automatically logon (kerberos), and non-domain joined, they can have a form so they can put in their credential to logon to)

Microsoft have some service used this extensively so they don't manage password.
0
AndyBoellAuthor Commented:
limjianan,

Thank you very much for that information.  It took me a couple days to troubleshoot through some CA related issues, but those have now been resolved.

I have reviewed those documents and conceptually it appears to be what I am looking to implement.  

I have completed the setup of a 2nd tier ADFS environment and have created a relationship between the 1st tier and the 2nd tier ADFS servers.  The relationship I created was a Relying Party Trust at the 2nd tier level and a Claims Provider Trust at the 1st tier level.

When I visit the sts page at the 1st tier level, I can select the 1st tier ADFS server or select a 2nd tier ADFS server.  When I choose the 1st tier ADFS server and attempt to use the credentials from the 2nd tier domain, that fails.  That behavior seems logical, however, I was hoping to have a single page that a user can use to enter in user@1st-tier.com or user@2nd-tier.com and have it work by making the appropriate query on the backend.

That said, when I visit the sts page at the 1st tier level and select the 2nd tier ADFS server and use the credentials from the 2nd tier domain, I am able to successfully log in.  Once authenticated, I can gain access to any SP configured to the 1st tier ADFS server, so I would say that relationship is working.  I was just hoping to have just a single page that any user from any configured domain can use rather than having to drill down to the appropriate domain first.  

My follow up question is did I set it up correctly?  Given the complexity and flexibility of the ADFS, I wonder if I have it set up and working in some capacity but there may be an alternative way to set it up to give me the behavior I am expecting.

Any advice or expertise in that area would be appreciated.
0
Jian An LimSolutions ArchitectCommented:
Usually, when you want to access a certain services, you setup that form there. and based on the email address they put in, it will redirect them to the respective STS.

For example, in order to access Office 365 (or any application), you have user@1st-tier.com and user@2nd-tier.com, when you type in user@1st-tier.com, it will go to sts.1st-tier.com and you put user@2nd-tier.com it will go to sts.2nd-tier.com

when hit STS, if you have authenticated, it will automatically redirect you back to office 365.

what we called the Office 365 (or any application), is your first page to access. it must aware all domains so it knows where to direct such conversation.
0
AndyBoellAuthor Commented:
While I do not have any experience in linking to Office 365, I think understand what you mean but want to see if my understanding is correct.

I have my ADFS structure set up as any tiered hierarchy I desire.  At my top level I connect to an application (say Office 365).  Any user from any tier can authenticate with the single link of Office 365 to the top level ADFS server because of the connections between ADFS servers.  And they use the login page of the application rather than the portal page.  Does that seem accurate?

My environment has me connect all of these ADFS servers to a single application and currently that application redirects users to the sts login page for authentication.  It sounds to me that this behavior may not allow me to have the login functionality that is desired.  I do have some input on how that application is being designed, so I may try to work with that team to see if altering the login functionality may be a possibility, if my understanding above is correct.

In the event that application's handling cannot be changed, would it be possible to configure a separate "application" that could have the login page that could be aware of all the domains, then once authenticated communicate with the other application for seemless authenticated access?  I have already tested that behavior and have not been successful as the test application merely redirects the user to the sts page for login.  Is there any trick to make that work?
0
Jian An LimSolutions ArchitectCommented:
Okay, i think you are looking at different thing.

Here is what i think you want.
YOu want a page, that when the user type in the username/password ( it will then silently do the authentication to the related sts page  then go through to the application)


For federated Web SSO design (also known as WS-Federation Passive Requestor Profiler), you always see the transfer page from main page to respective STS. I.e. if you type in the email address, it will aware that it do not do the authentication and redirect it to the respective sites.

If you want something silent, you will need to be develop a WS-Federation Active Requestor Profiler which require programming knowledge.

There is a page http://blogs.technet.com/b/askpfeplat/archive/2014/08/25/adfs-deep-dive.aspx 
explain very well what is the difference of them.

As I am not a developer so it will need someone to understand a bit more programming to do so.
0
AndyBoellAuthor Commented:
Great explanation and information shared!  Thank you so much for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.