asked on
ADFS internal and external users
Hi,
I've been trawling the 'net' for an answer and diagrams (including network ports) to show how to configure a scenario for both internal and external SSO/ADFS 3.0 design.
I understand I need an internal ADFS server farm (which can be used for internal SSO access.
I also understand I need a WAP server farm in a perimeter network/DMZ for external users.
A public SSL cert wil be used: e.g. adfs.company.com
We'll use DNS internally, internal domain is company.local so i'll add a zone from company.com with an a record of adfs.company.com
We'll use a host file for the WAP servers in the DMZ
The WAP farm servers will obviously communicate with both external clients and the SaaS provider.
How will the internal ADFS communication work for internal users? Does this traffic go out via the WAP server route or will it require it's own access to the SaaS provider?
Also, (sorry I know this is another question)
Is is viable to setup two separate ADFS farms in two locations and use something like route53 to route to site two if site one goes down?
I'm also assuming that port 443 is used for all server and client comms.
Appreciate any help on these questions.
Thanks,
Andy
I've been trawling the 'net' for an answer and diagrams (including network ports) to show how to configure a scenario for both internal and external SSO/ADFS 3.0 design.
I understand I need an internal ADFS server farm (which can be used for internal SSO access.
I also understand I need a WAP server farm in a perimeter network/DMZ for external users.
A public SSL cert wil be used: e.g. adfs.company.com
We'll use DNS internally, internal domain is company.local so i'll add a zone from company.com with an a record of adfs.company.com
We'll use a host file for the WAP servers in the DMZ
The WAP farm servers will obviously communicate with both external clients and the SaaS provider.
How will the internal ADFS communication work for internal users? Does this traffic go out via the WAP server route or will it require it's own access to the SaaS provider?
Also, (sorry I know this is another question)
Is is viable to setup two separate ADFS farms in two locations and use something like route53 to route to site two if site one goes down?
I'm also assuming that port 443 is used for all server and client comms.
Appreciate any help on these questions.
Thanks,
Andy
Active DirectoryNetwork ArchitectureCloud Computing
Last Comment
Andy
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks footech,
Just one final question:
We have our main domain, and 2 sub domains, do we have to setup anything extra for users, either in ADFS or DNS?
e.g.
uk.comany.com (root domain containing accounts)
us.company.com (sub domain containing accounts)
china.company.com (sub domain containing accounts)
My design steps (as an overview) are as follows:
Create the service account (or gMSA)
Build the 4 2012 R2 servers required for ADFS 3.0 (2 x Internal, 2 x DMZ)
Decide on the public ADFS (federation) service name:
Adfs.company.com/sts.compa
Buy certificate
Import the cert on each server
Consideration: Multiple domains
Setup DNS entries as required (internal, DMZ, external)
Allow port 443 between all devices and externally from WAP farm VIP
Consideration: NLB used in DMZ? If so, setup NLB on both servers with VIP
Add the ADFS role for the first internal ADFS server creating a farm
Configure ADFS with SSL Cert, Federation service name, Federation service display name
Specify Service account, WID. Complete configuration
Test: https://adfs.company.com/federationmetadata/2007-06/federationmetadata.xml
Add the ADFS role for the second internal ADFS server joining the farm and configure
Add to Load Balancer creating the Load balanced VIP
Add the WAP role for the first internal ADFS server creating a farm
Add the WAP role for the second internal ADFS server joining the farm
Test SSO internally
Test SSO externally?
Send metadata to SaaS provider, configure and test.
Hopefully I've got everything there.
Thanks again,
Andy
Just one final question:
We have our main domain, and 2 sub domains, do we have to setup anything extra for users, either in ADFS or DNS?
e.g.
uk.comany.com (root domain containing accounts)
us.company.com (sub domain containing accounts)
china.company.com (sub domain containing accounts)
My design steps (as an overview) are as follows:
Create the service account (or gMSA)
Build the 4 2012 R2 servers required for ADFS 3.0 (2 x Internal, 2 x DMZ)
Decide on the public ADFS (federation) service name:
Adfs.company.com/sts.compa
Buy certificate
Import the cert on each server
Consideration: Multiple domains
Setup DNS entries as required (internal, DMZ, external)
Allow port 443 between all devices and externally from WAP farm VIP
Consideration: NLB used in DMZ? If so, setup NLB on both servers with VIP
Add the ADFS role for the first internal ADFS server creating a farm
Configure ADFS with SSL Cert, Federation service name, Federation service display name
Specify Service account, WID. Complete configuration
Test: https://adfs.company.com/federationmetadata/2007-06/federationmetadata.xml
Add the ADFS role for the second internal ADFS server joining the farm and configure
Add to Load Balancer creating the Load balanced VIP
Add the WAP role for the first internal ADFS server creating a farm
Add the WAP role for the second internal ADFS server joining the farm
Test SSO internally
Test SSO externally?
Send metadata to SaaS provider, configure and test.
Hopefully I've got everything there.
Thanks again,
Andy
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for all the expert comments, my design is getting there, just need to understand what data is being passed between all points then all will be complete.
Regarding:
For an external user, adfs.company.com would resolve to the public IP of the WAP (ADFS Proxy), but for internal users it would resolve to the internal ADFS. If you just had internal users, the WAP wouldn't be needed, and no, communication to the internal ADFS from the internet is not needed.
My question is:
With the internal users in this scenario, what happens to the traffic once they've hit the internal ADFS farm. Does it still then go out via the WAF?
I assume it's only the WAF that can access the RP in this case and we don't need to also allow comms between the internal ADFS farm and the RP as well as comms between the WAF and the RP?
Again, thanks for the support.
Andy