locked
Single Sign On using ADFS for multiple domains using same ADFS server RRS feed

  • Question

  • Hi Team,

    We currently have a O365 tenant. We have a local AD server from which we have synced our one domain for ex abc.com to O365 using AAD connect. we have also set up single sign on using ADFS and ADFS proxy for the O365 which works fine.

    Now we have one more domain for ex xyz.com in our local ad for which the user's are synced using the same AAD connect server however these users are not configured for SSO using adfs. They sign in directly to O365 using their on premise password which is synced to O365 using AAD Connect.

    We want to enable SSO authentication of the user's from xyz.com domain using the same ADFS and ADFS proxy server.

    Please let me know if this can be achieved. Can someone please guide me on the steps as well.

    Tuesday, January 10, 2017 1:06 PM

Answers

All replies

  • Are both domains in the same O365 tenant? If so, you simply need to recreate the Office 365 RPT using the SupportMultipleDomain switch: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple-domains
    • Proposed as answer by David Wang_ Wednesday, January 11, 2017 6:28 AM
    • Marked as answer by Mits_J9 Friday, February 17, 2017 5:35 AM
    Tuesday, January 10, 2017 8:07 PM
  • Yes both the domains are in same O365 tenant.

    Do we need to configure anything on AAD connect server as well?

    Is there a need to modify the SSL certificates as well?

    Wednesday, January 11, 2017 7:18 AM
  • If AAD Connect is configured to sync both domains to O365, you're fine. You don't need any changes in the certificate as well, unless you decide to change the AD FS endpoint.
    Wednesday, January 11, 2017 7:52 AM
  • Hi Vasil,

    Can you please explain me what exact ADFS end point means.

    Is there any thing we need to reconfigure on the claim rules as well?

    Will there be any outlook disconnection for the users in both the domains federated?

    Is there any roll back option in case there is an issue? 

    Thursday, January 12, 2017 8:01 AM
  • Mean the URL on which the AD FS server listens, and where O365 will redirect the login request to. The publicly trusted certificate is needed for this part, any other certificates can be self-signed.

    Claims rules changes will be made automatically after you run the cmdlet with the SupportMultipleDomain switch, it's explained in the article.

    Rollback is similar to the case of single domain, you simply need to run the cmdlet for all domains you want reverted back to managed auth.

    • Proposed as answer by David Wang_ Wednesday, February 1, 2017 3:10 AM
    Thursday, January 12, 2017 12:01 PM
  • Hi,
    How about the issue? Are replies above helpful to you?
    If the issue is resolved, please also mark some helpful replies as answers so that someone who has similar issue could find the solution as soon as possible.


    Best Regards,
    David Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 7, 2017 5:48 AM
  • Are both domains in the same O365 tenant? If so, you simply need to recreate the Office 365 RPT using the SupportMultipleDomain switch: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-multiple-domains

    Hi Vasil,

    What if the domains belong to different O365 tenant?

    Thanks,

    Ken

    Thursday, March 1, 2018 4:45 PM