locked
SSO implementation using ADFS 3.0, ADDS and ADLDS/ADDS RRS feed

  • Question

  • Hi,

    Requirement: Need SSO implementation using ADFS 3.0 for Portal and CRM applications for Internal Corporate Users and External Users 

    1. External users use personal email address as a username for e.g. srini@gmail.com
    2. Internal users use domain specific usernames for e.g. domain\srini or srini@domain.com
    3. Separate Active Directory stores i.e. each for internal user (stored in ADDS) and external user (stored in ADLDS) from security perspective and one Single Sign On login page(ADFS) to work for both domain users.
    4. Both the AD’s are within Corporate network and not DMZ.
    5. OS is Windows Server 2012 R2.
    6. ADLDS can be replaced with ADDS to make it compatible with ADFS 3.0. 

    Challenges:

    1. ADFS single sign on page to handle both types of users i.e. internal user will enter domain\srini or external user can enter srini@gmail.com and hence ADFS must validate with respective domains with different username types and yet doesn’t compromise SSO fundamentals.
    2. Not acceptable to build trust between ADDS(Internal) and ADLDS/ADDS(External) due to security issue.
    3. Not willing to buy Windows server 2016 and hence ADFS 4.0 is ruled out.
    4. No cloud technology.

     Is there any Microsoft's middleware solution between ADFS and two ADs that could help achieve this scenario or any other solution that's fit for purpose for above requirements and challenges? Any help would be highly appreciable.

    Thursday, November 16, 2017 6:50 PM

All replies

  • If you can go with AD DS, you can use alternate login (set to email).
    Thursday, November 16, 2017 7:55 PM
  • Thanks for your reply. I did it but its not possible without building trust between both active directories and one of the challenge is point no 2. I'm not sure how critical it is from security perspective.

    Friday, November 17, 2017 3:03 PM