ADFS & SAML in resource forest RRS feed

  • Question

  • 2 forests:


    Users logon to user.com
    Resource.com contains Exchange (disabled user accounts, and mailboxes).
    2-way forest trust in place.

    New cloud-based service (supports SAML) will be implemented.

    ADFS needs to be implemented for SSO. Preference is to build ADFS servers in resource.com (company policy).

    1. Will ADFS SSO work in this case if user accounts are disabled in resource.com? ADFS supports multi-forest but are there any gotcha's in this scenario.

    2. Can I get the ADFS server in resource.com to authenticate against the DCs in user.com (since that's where enabled user accounts are)?

    3. Or can I get the ADFS server in resource.com to authenticate against the DCs in resource.com (as I have extended attributes there and can use email address) - but ignore the fact that these accounts are disabled?

    • Edited by adtechad Monday, March 4, 2019 10:47 AM
    Monday, March 4, 2019 10:41 AM


  • 1. Disabled accounts do not authenticate.

    2. For enabled users, as long as Windows authentication works (here it will because of the 2-way trust), ADFS will be able to authenticate (note that you can also make it work without a trust by creating an LDAP claim provider for the other forest, but then you'll have no SSO).

    3. I am not sure you bring these disabled accounts in the question. They seem to exist for Exchange. ADFS is agnostic of the Exchange configuration, it cares just about actual users authenticating. 

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 5, 2019 12:53 PM