Trying to figure out best practices when it comes to ADFS for multiple cloud services, while keeping different AD groups separate in these cloud services...

Trying to figure out how to setup, if it is even possible or best practice, to setup my current ADFS (2.0 (Windows Server 2012)), which is being used to sync my AD with Office365 accounts (i.e. logins, etc.) to support a separate or another service in the cloud.

This other vendor (cloud service) is requesting the metadata...however, I am concerned about mixing my group A users (using Office365 services) with this new group B users.

I want to make sure that my group B users do not get Office365 accounts accidentally.


I am crunched for time or else I would just build new ADFS platform to 4.0 (Windows Server 2016), but that will have to wait until a later date.


Can anyone explain, send links, etc. on how I should go about setting up (reconfiguring my ADFS 2.0 (Windows Server 2012) to support these two separate cloud services?


If you need further details to assist me, just let me know.


Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?
 
MaheshArchitectCommented:
no matter how many cloud services you add, all would be added to adfs as relying party trust and you can have unique groups configured per relying party trust
0
 
MaheshArchitectCommented:
where is the problem if you have separate groups for each relying party trust?
in every relying party you need to create claim rules which states that specific AD group can access application
If user is member of both groups, he can access both apps
You need to ensure that every user is part of single group so that he can access only that app
2016 ADFS does not make any difference here
0
 
ChrisCommented:
agreed with the above.

We have a separate group within O365 which assigns licences so no chance of the two mixing.

The meta data for ADFS is public anyway if you have published out ADFS for O365
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
rsnellmanIT ManagerAuthor Commented:
I am trying to figure out how my splash page which is specifically designed and SSL certificate applied for my Group A (Office365 services) or how do I go about adding another cloud service that will be specifically to be used for a different group (Group B)...etc.

Hopefully, that makes sense.

If not, please let me know and I will provide further details.


Thanks.
0
 
ChrisCommented:
i don't think you will be able to have different splash screen/login pages to do that you would need a different ADFS farm
0
 
MaheshArchitectCommented:
ADFS gives you chance to define multiple logon interface on same page via drop down menu which should suffice your requirements
I have clients with single ADFS farm with at least 8 relying party trust and on ADFS logon page, you can select which you want to logon
0
 
rsnellmanIT ManagerAuthor Commented:
Mahesh,
That is what I was hoping for...do you know if that feature is supported in ADFS 2.0?  Or is that a newer feature for say like, ADFS 4.0?

Also, can you provide some directions or links or documents on this feature and how to implement it?

Thanks.
0
 
MaheshArchitectCommented:
The feature is by default available since adfs 2003 server, its not new.

You need to consult every vendor for which you are hosting application and they will provide you steps to build Relying Party Trust for respective applications
0
 
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks Mahesh.  So, how would the drop down selection feature be added to the ADFS splash page then?  Thanks again.
0
 
MaheshArchitectCommented:
as you keep adding multiple relying party trusts, it will automatically add drop down in ADFS login page, I don't know what do you mean by "splash". Its ADFS login page
0
 
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks.  I guess I meant landing page not splash page.  We would create a hyperlink in different locations on our website that would point to the same landing page (aka ADFS login page).

Hopefully that makes sense.


Thanks again.
0
 
ChrisCommented:
anything on the path https://adfs.domain.com/adfs/xxxx will only have one page, you can brand this but only once per farm
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.