locked
ADFS compatibility RRS feed

  • Question

  • Hello Team, 

    I am concerned that I do not understand the compatibility of ADFS and hope that someone can clarify things for me. 

    1. Will ADFS 2.0 work with ADFS 3.0? 

    2. If not can Server 2008 r2 be upgraded to ADFS 2.1 or does 2.1 only work with 2012? 

    Thank you!

    Wednesday, April 27, 2016 12:29 PM

Answers

  • 1. YES (but tell me EXACTLY) what you wish to do and I can give you a much more qualified answer!

    2. No. ADFS 2.1 comes with Windows Server 2012. And ADFS 3.0 comes with Windows Server 2012R2.

    And... as you probably know that with Windows Server 2008R2 you get ADFS 1.1 BUT you can download and install ADFS 2.0.
    Wednesday, April 27, 2016 2:49 PM
  • So then if I understand you correctly you have ADFS 2.0 and your vendor has ADFS 3.0?

    Then it should work like a charm :-)

    As far as I know you cannot restrict the use of ADFS to one particular OU in your Active Directory but you can do either of the following:

    A. Create an AD-group and add members that should be able to use a particular Relying Party Trust in your ADFS (towards that vendor). On the Relying Party Trust in you ADFS in the Issuance Authorization Rules tab remove the default "Permit All" rule and create two new rules, one that looks up all groups that the user is a member, second rule that issues a "Permit" if they are a member of the group you are using to control access.

    A will just make ADFS show a general "Access Denied" error and most users interpret this as "OOPS! Something is out of order"... I think the error even says something like "Try again later" as if that would make any difference.

    B. Create an AD-group and add members so that if they are member they get a certain Claim Type issued (Issuance Transform Rule tab) in their SAML Token and then let the vendor perform authorization (if Claims Type exists allow, if Claim Type doesn't exist deny access).

    B is best practice and the preferred method if supported by your vendor (application). The application web site could be designed to display a user-friend message such as "You do not have access. Please contact Helpdesk at number so-and-so etc. if you need access".


    Wednesday, April 27, 2016 5:53 PM

All replies

  • 1. YES (but tell me EXACTLY) what you wish to do and I can give you a much more qualified answer!

    2. No. ADFS 2.1 comes with Windows Server 2012. And ADFS 3.0 comes with Windows Server 2012R2.

    And... as you probably know that with Windows Server 2008R2 you get ADFS 1.1 BUT you can download and install ADFS 2.0.
    Wednesday, April 27, 2016 2:49 PM
  • Thank you for the information that was very helpful. 

    The short (and not so technical) is we have a vendor that we want our users to be able to SSO in to their portal.

    While speaking to the project owner I found out some more requests that I will be researching such as can we limit it to an OU or is it the whole of AD. 

    Wednesday, April 27, 2016 5:20 PM
  • So then if I understand you correctly you have ADFS 2.0 and your vendor has ADFS 3.0?

    Then it should work like a charm :-)

    As far as I know you cannot restrict the use of ADFS to one particular OU in your Active Directory but you can do either of the following:

    A. Create an AD-group and add members that should be able to use a particular Relying Party Trust in your ADFS (towards that vendor). On the Relying Party Trust in you ADFS in the Issuance Authorization Rules tab remove the default "Permit All" rule and create two new rules, one that looks up all groups that the user is a member, second rule that issues a "Permit" if they are a member of the group you are using to control access.

    A will just make ADFS show a general "Access Denied" error and most users interpret this as "OOPS! Something is out of order"... I think the error even says something like "Try again later" as if that would make any difference.

    B. Create an AD-group and add members so that if they are member they get a certain Claim Type issued (Issuance Transform Rule tab) in their SAML Token and then let the vendor perform authorization (if Claims Type exists allow, if Claim Type doesn't exist deny access).

    B is best practice and the preferred method if supported by your vendor (application). The application web site could be designed to display a user-friend message such as "You do not have access. Please contact Helpdesk at number so-and-so etc. if you need access".


    Wednesday, April 27, 2016 5:53 PM
  • Moloko you have become my personal hero today, thank you!
    Wednesday, April 27, 2016 6:04 PM