Trying to figure out best practices when it comes to ADFS for multiple cloud services, while keeping different AD groups separate in these cloud services...

Trying to figure out how to setup, if it is even possible or best practice, to setup my current ADFS (2.0 (Windows Server 2012)), which is being used to sync my AD with Office365 accounts (i.e. logins, etc.) to support a separate or another service in the cloud.

This other vendor (cloud service) is requesting the metadata...however, I am concerned about mixing my group A users (using Office365 services) with this new group B users.

I want to make sure that my group B users do not get Office365 accounts accidentally.


I am crunched for time or else I would just build new ADFS platform to 4.0 (Windows Server 2016), but that will have to wait until a later date.


Can anyone explain, send links, etc. on how I should go about setting up (reconfiguring my ADFS 2.0 (Windows Server 2012) to support these two separate cloud services?


If you need further details to assist me, just let me know.


Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
where is the problem if you have separate groups for each relying party trust?
in every relying party you need to create claim rules which states that specific AD group can access application
If user is member of both groups, he can access both apps
You need to ensure that every user is part of single group so that he can access only that app
2016 ADFS does not make any difference here
0
ChrisSenior Technical ArchitectCommented:
agreed with the above.

We have a separate group within O365 which assigns licences so no chance of the two mixing.

The meta data for ADFS is public anyway if you have published out ADFS for O365
0
rsnellmanIT ManagerAuthor Commented:
I am trying to figure out how my splash page which is specifically designed and SSL certificate applied for my Group A (Office365 services) or how do I go about adding another cloud service that will be specifically to be used for a different group (Group B)...etc.

Hopefully, that makes sense.

If not, please let me know and I will provide further details.


Thanks.
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

MaheshArchitectCommented:
no matter how many cloud services you add, all would be added to adfs as relying party trust and you can have unique groups configured per relying party trust
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChrisSenior Technical ArchitectCommented:
i don't think you will be able to have different splash screen/login pages to do that you would need a different ADFS farm
0
MaheshArchitectCommented:
ADFS gives you chance to define multiple logon interface on same page via drop down menu which should suffice your requirements
I have clients with single ADFS farm with at least 8 relying party trust and on ADFS logon page, you can select which you want to logon
0
rsnellmanIT ManagerAuthor Commented:
Mahesh,
That is what I was hoping for...do you know if that feature is supported in ADFS 2.0?  Or is that a newer feature for say like, ADFS 4.0?

Also, can you provide some directions or links or documents on this feature and how to implement it?

Thanks.
0
MaheshArchitectCommented:
The feature is by default available since adfs 2003 server, its not new.

You need to consult every vendor for which you are hosting application and they will provide you steps to build Relying Party Trust for respective applications
0
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks Mahesh.  So, how would the drop down selection feature be added to the ADFS splash page then?  Thanks again.
0
MaheshArchitectCommented:
as you keep adding multiple relying party trusts, it will automatically add drop down in ADFS login page, I don't know what do you mean by "splash". Its ADFS login page
0
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks.  I guess I meant landing page not splash page.  We would create a hyperlink in different locations on our website that would point to the same landing page (aka ADFS login page).

Hopefully that makes sense.


Thanks again.
0
ChrisSenior Technical ArchitectCommented:
anything on the path https://adfs.domain.com/adfs/xxxx will only have one page, you can brand this but only once per farm
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.