locked
Exclude office365 from ADFS configuration RRS feed

  • Question

  • Hi,

          I've cofigured ADFS in 2012 R2. Not yet converted the domain to federated domain.

    My customer requirement is to exclude Office365 from ADFS.

    1) If I convert the domain to federated domain, whether Office365 users will be able to login to the portal like usual?

    2) I need adfs to provide SSO for a web application hosted in a IBM cloud server. How to do it?

    Thanks in advance!!!

    Tuesday, August 23, 2016 5:36 AM

Answers

  • Hiya,

    by default you are not connected to anything with ADFS. It requires additional configuration for each connection you want to establish after the initial installation of ADFS. So nothing will change there.

    You do not need to convert your domain to a federated domain. Right now you are running with AzureAD and you will continue to do that.

    You can test your ADFS installation by navigating to:

    https://<ADFS URL>/adfs/ls/idpinitiatedsignon.aspx

    If ADFS has been configured correctly, you should be able to logon using username and password.

    That should cover first question and basic ADFS.

    Now for configuring SSO for IBM cloud server, it depends on how IBM has specified you do that. I do not know explicitly which service you are trying to connect to, however IBM should provide details on how you should set up your relying party on your ADFS as well as adding a trust on their cloud service.

    Maybe something on this link or related links might help you.

    https://www.ibm.com/support/knowledgecenter/SSYJ99_8.5.0/dev-portlet/outbhttp_auth_est_sso_adfs.html

    • Marked as answer by Elangamban Tuesday, August 23, 2016 6:55 AM
    Tuesday, August 23, 2016 6:21 AM

All replies

  • Hiya,

    by default you are not connected to anything with ADFS. It requires additional configuration for each connection you want to establish after the initial installation of ADFS. So nothing will change there.

    You do not need to convert your domain to a federated domain. Right now you are running with AzureAD and you will continue to do that.

    You can test your ADFS installation by navigating to:

    https://<ADFS URL>/adfs/ls/idpinitiatedsignon.aspx

    If ADFS has been configured correctly, you should be able to logon using username and password.

    That should cover first question and basic ADFS.

    Now for configuring SSO for IBM cloud server, it depends on how IBM has specified you do that. I do not know explicitly which service you are trying to connect to, however IBM should provide details on how you should set up your relying party on your ADFS as well as adding a trust on their cloud service.

    Maybe something on this link or related links might help you.

    https://www.ibm.com/support/knowledgecenter/SSYJ99_8.5.0/dev-portlet/outbhttp_auth_est_sso_adfs.html

    • Marked as answer by Elangamban Tuesday, August 23, 2016 6:55 AM
    Tuesday, August 23, 2016 6:21 AM
  • Hi Jesper,

     Thanks for your quick and useful reply.

    You also mentioned, no need to convert to federated domain. Now what will happen, if adfs server is down. How to roll back?

    Thanks again.

    Tuesday, August 23, 2016 6:26 AM
  • Hi,

    I presume you are running with a Azure AD synchronization now(or cloud identities only). If that is the case, you are synchronizing your user data to Microsoft and using Microsoft ADFS server to authenticate. (as you do not have your own yet)

    So authentication towards Office365 is depedant on Microsoft ADFS service and to some extend this Azure AD synchronization. So as long as Microsoft ADFS is running, you can authenticate. So keep this picture in your mind, this is you current Office365 authentication.

    Now you have configured the ADFS server and want to connect to an IBM cloud provider. Now, this ADFS server will be your only source of authentication for the IBM cloud service. So whenever your ADFS is down, you cannot authenticate against your IBM cloud service.

    That of course applies if you are transferring your Office365 authentication from Microsoft ADFS to your company ADFS. Currently they are running seperate.

    Tuesday, August 23, 2016 6:52 AM
  • Hi,

    Is it possible to exclude some of the users from adfs configuration based on the application?

    They have to access the web application as usual.(Without SSO).

    Thanks!!.

    Tuesday, August 23, 2016 7:38 AM
  • Hi,

    Well. Some applications support running with multiple authentications. In other words, it depends on your application.

    In a case like that, you could have two URL's. One that access with standard windows integrated the other with Custom Identity Provider (ADFS). Depending what exactly it is you want to achieve.

    Wednesday, August 24, 2016 5:51 AM
  • Hi,

    Thanks for your reply.

    If I want to add a trust relationship between my ADFS and partner hosted application, what are the details I've to gather from their end?

    Thanks again.

    Wednesday, August 24, 2016 6:29 AM
  • Hi,

    usually you need two things:

    1: a Metadata file reference. Either as download or preferable as a direct link.

    2: Claims specification. Which claims do they expect to be present in which format.

    Wednesday, August 24, 2016 6:54 AM
  • Hi Jesper,

    Thanks for your answers. All are very useful.

    Wednesday, August 24, 2016 7:15 AM