ADFS SSO Question RRS feed

  • Question

  • Scenario

    • Client has a single AD Forest with multiple child domains for each of their regions (N. America, Japan, Europe, etc.)
    • Client has a distributed IT model where each AD child domain has their own IT team
    • Client would like to deploy an ADFS farm in each child domain and allow that domain’s IT team to manage their own ADFS servers, relying party trusts, etc.
    • Each AD child domain has a .local suffix (ex: japan.xxx.local)
    • Client users currently have a UPN unique for their child domain (ex: user1@japan.xxx.local)
    • Client users all have the same SMTP domain (ex: user1@xxx.com)


    Desire / Requirement

    • Client would like each of their users to authenticate to their AD Child Domain using their email address and then have ADFS provide a SSO experience to SaaS application (ex: Salesforce).



    • Is this possible? The concern is that UPN logon wouldn’t be the same as the SMTP address. Would changing each user’s default UPN to match their email address be a solution? What other gotcha’s are there?

    Configmanagerguru www.configmanagerguru.com

    Tuesday, December 13, 2016 1:56 AM


  • You can use an alternate ID for login, which could be the email address as long as it is unique through the forest. This is described here: Configuring Alternate Login ID https://technet.microsoft.com/en-us/library/dn659436.aspx

    Note that it has side effects on Office 365, so ultimately, having the UPN matching the email address might also help in that matter. Well, if so far Office 365 isn't in the picture, you can go for the alternate id.

    Note that internal clients on domain joined machines using Windows Integrated Authentication will not type anything since they will have Windows SSO.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, December 13, 2016 5:03 AM