Requirement: Need SSO implementation using ADFS 3.0 for Portal and CRM applications
for InternalCorporate Users and External
Users.
External users use personal email address as a username for e.g. srini@gmail.com
Internal users use domain specific usernames for e.g. domain\srini or srini@domain.com
Separate Active Directory stores i.e. each for internal user (stored in ADDS) and external
user (stored in ADLDS) from security perspective and one Single Sign On login page(ADFS) to work for both domain users.
Both the AD’s are within Corporate network and not DMZ.
OS is Windows Server 2012 R2.
ADLDS can be replaced with ADDS to make it compatible with ADFS 3.0.
Challenges:
ADFS single sign on page to handle both types of users i.e. internal user will enter domain\srini
or external user can enter srini@gmail.com and hence ADFS must validate with respective domains with different username types and yet doesn’t compromise SSO fundamentals.
Not acceptable to build trust between ADDS(Internal) and ADLDS/ADDS(External) due to security
issue.
Not willing to buy Windows server 2016 and hence ADFS 4.0 is ruled out.
No cloud technology.
Is
there any Microsoft's middleware solution between ADFS and two ADs that could help achieve this scenario or any other solution that's fit for purpose for above requirements and challenges? Any help would be highly appreciable.
Thanks for your reply. I did it but its not possible without building trust between both active directories and one of the challenge is point no 2. I'm not sure how critical it is from security perspective.
