locked
Single office 365 tenant - multi forest without trust - single sign-on RRS feed

  • Question

  • Hi there,

    I have one single office 365 tenant, two forest a.local and b.local. Current ADFS farm provides single sign-on for forest a.local  to single office 365.

    I have one request to add single sign-on for forest b.local users to same single office 365 tenant. Can this be done?

    Do I have to setup new ADFS farm on forest b.local to provide single sign-on using forest b.local to existing office 365 tenant?

    Regards,

    T

    Thursday, March 15, 2018 4:50 AM

All replies

  • Hi, there are a lot of possibilities for this answer.

    1. Yes you could set up a new ADFS farm for b.local.  You would then probably need to establish a relationship between b.local & a.local's farms so that a.local's relying party trust could be used for b.local.  I have not seen it done, but James Craddock discussed a similar approach at TechNet a few years back. It would be important to make sure that the domain names used in each domain were unique to each domain.
    2. You could establish a trust between a.local & b.local and use a.local's ADFS farm.
    3. How are you synchronizing the directories?  This might indicate which would be the best path for you.

    Thanks

    Friday, March 16, 2018 5:12 PM