locked
Setting up ADFS and have a question about connecting 2 organizations RRS feed

  • Question

  • Hello,

    My company is in the process of setting up ADFS  for SSO in our environment to work with a new web application. I think I pretty much got the basic configuration down for our organization but the problem is that we have a partner organization that needs to be able to access the web application also. From my understanding of ADFS (which is not much since we are new to it) they need to have a ADFS server setup on their side and all we need to do is setup a relying party trust to point to each other. The organization uses Azure Ad Connect so I was wondering is can I setup a relying party trust with their Azure AD connect to fulfill the the end goal which is the partner organization being able to access the web application on our side for SSO and if it can how would I go about configuring this setup. Hopefully this is clear because I really need help on this. Thank you. 

    Friday, September 28, 2018 3:01 PM

All replies

  • On your side you have your application (RP) talking to your ADFS (IDP).

    On their side, they need an IDP (not necessarily ADFS) and this needs to be a Claims Provider on your side.

    On their side, your ADFS is an RP.

    So the flow is:

    Partner user accesses application, sees the Home Realm Discovery screen, selects their IDP, authenticates, application access granted.

    Sunday, September 30, 2018 6:15 PM
  • Greetings,

                    I found an article which is a good read on scenarios like federated SSO. It is a multi part Blog which explains a lot of info on ADFS. Please feel free to read it before you do any changes in your organization.

    https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/adfs-deep-dive-primer/


    Regards Eric Mark As Answer if this reply is helpful Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, October 1, 2018 12:54 PM
  • One final info on federated SSO which is not mentioned in the Blog,

    For your domain users to access the application through SSO:

    The scenario is called as a Web SSO scenario:

    you have to create an RP in your ADFS server pointing to your applications server.

    For partner domain users to access the application through SSO:

    The scenario is called as a Federated SSO scenario

    Two STSs will participate in this transaction, STSs can be a ADFS server on both the sides or mix and match, There are few steps to be followed,

    1. The partner ADFS server has to create a Relying Party trust pointing to your ADFS server.

    2. In your ADFS server you have to create a Claims Provider Trust pointing to the partner ADFS server.



    Regards Eric Mark As Answer if this reply is helpful Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, October 1, 2018 1:10 PM
  • The partner organization is hoping they do not have setup ADFS on their side they are hoping that their AD Azure connect would be enough to setup the connection so is that a possibility yes or no and if it is can the explanation be clearer because I am still new to this and the use of acronyms is not helping.
    Tuesday, October 2, 2018 6:45 PM
  • If you moved your application to Azure as an App Service and your users were in Azure AD and the application was set up to allow multi-tenancy, then your partner organisation could access the application by means of being added as a guest from their Azure AD tenant to your Azure AD tenant.

    This way they do not need ADFS.

    AAD Connect syncs users from AD up to Azure AD, It has nothing to do with ADFS per se.

    Your partner needs ADFS so they can log into your application with their credentials.

    Or you can put your application on the Internet and add their users to your AD. That is not recommended.



    • Edited by nzpcmad1 Tuesday, October 2, 2018 11:03 PM Expand
    Tuesday, October 2, 2018 11:02 PM