ADFS: EWS Load Balancer (ELB) require a CNAME record?
ADFS 3.0 (2 x STS nodes)
I was under the impression that issues can arise when you use a CNAME record to point to your ADFS servers (by way of a Load Balancer). It seems that there are no static IP addresses available for ELBs due to the "elastic" nature of the product.
Prior to this case, I would simply add an A Record that points to the (static) VIP of the Load Balancer. That does not seem to be available in AWS.
How do you handle this?
Thank you.
Active DirectoryExchangeMicrosoft 365AWS
Last Comment
K B
8/22/2022 - Mon
Mohammed Hamada
You're trying to use a cloud load balancer for your STS? Why not simply create ADFS Farm ?
Mohammed Hamada
Take a look here at this article, when you have ADFS farm you could configure DNS that would point to the VIP on your load balancer and the load balancer would handle the tokens or requests by sending it to either member of the ADFS and that would send it to the Primary ADFS Server.
Here are the instructions from Microsoft on how to set it up in azure. You can modify this for aws or IMO put it in azure where it should be since it's talking to azure anyway.
Thank you for your replies. The question revolves around AWS ELBs inability to take a static IP. You must use a CNAME record to point to the VIP. Docs at Microsoft warn against using CNAME records in ADFS implementations
Aaron Tomosky
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
I know I'm not addressing your specific question, I'm not familiar enough with AWS to help with what you are trying to do.
I AM familiar with azure and adfs and that's why I'm taking the time to offer the suggestion to put it there. Adfs talks to two things: your AD, and Azure AD. So by putting it IN azure, it's pretty difficult for azure AD to have a problem talking to it, which means more uptime for your azure logins (and ad premium sass logins if you use that). On top of that there is a setup doc from Microsoft and it's a supported config by Microsoft.
If you really really want to put it in aws, go for it, but I'm not going to be able to assist with the details of that.
K B
ASKER
Oh I'm all about azure too. :-)
This is a customer that has standardized on AWS.
Aaron Tomosky
Apparently not since they need adfs ;)
Which means they have an azure account and use it. Else they would have no need for adfs servers at all.
Anyway, you can always just setup a single server and a second pair and move DNS if it ever goes down. Route53 has all the goodness baked in. That's the point of aws, reliability.
If they want the full full load balanced version of awesomeness, show them the doc, it belongs in azure.
Hi there, please create a HTTPS Listener on External/Internal AWS ELB which you are creating and possibly offload SSL on to it if not you can just go for TCP load balancing, in either case, for DNS you would need to create a CNAME and map you DNS to it as ELB in AWS does change IP addresses on the fly and can add or remove them at any time.
I did implement ADFS in AWS and didn't have any issues with ELB, but happy to help if you get any errors.