Solved

ADFS Queries

Posted on 2016-10-05
3
54 Views
Last Modified: 2016-10-07
Hi,

We are implementing a new AD FS solution.

A questions I have around the SSL cert is:
We have our main (internal) AD domain:
company.net
We also have subdomains:
usa.company.net
china.company.net
india.company.net

However, our users have e-mail addresses relating to their business rather than domain so email addresses will be:
user@businessa.com
user@businessb.com
user@businessc.com
user@businessd.com
user@businesse.com

The SSL certificate will be: sts.company.com (an external domain name)
Do I need to include any information relating to any of the above?

I'm thinking more around UPN/SAN information for the certificate.

Thanks,
Andy
0
Comment
Question by:Andy
  • 2
3 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41830247
The certificate you use only needs to match the address used to access the server by any applications that will use it for authentication and users that will be logging in. So if the certificate is for sts.company.com, just make sure there is an A Record for sts.company.com in Public DNS. CN Validity is only authenticated by access to the server. Token signing and encryption don't require a specific CN to exist on the certificate used by those processes (nor do they require Root CA trust). If you want businessb.com to be able to access the ADFS server using sts.businessb.com, though, you'll need to make sure that shows up in the cert.

However, you'll probably want to use a different certificate for token signing and encryption of tokens with ADFS. I would only use the sts.company.com certificate for the HTTPS service on the ADFS server. It's usually acceptable to just let ADFS generate its own certificates for those purposes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41831264
Thanks Adam,

We'll only use the sts.company.com URL for all users to access globally.
We'll be using a public premium EV SSL certificate for service communications.
We'll use the self-signed certificates for token-signing/token-decryption and probably increase the lifetime to 3 years (or length of initial SaaS contract).
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41833133
Thanks for the assistance.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question