locked
ADFS 3.0 Trusting issue between two organizations RRS feed

  • Question

  • Hi,

    I am working on ADFS 3.0 and testing features of ADFS in Lab. I have created two different organizations (Account and Resource) and deployed a test claimaware application in Resource org. Now after creating relaying party trust between both org. I am facing some issue while account org user trying to access resource org web SSO application through ADFS it is not resolving web application url and giving unable to find url error. If, I made entry in system host file for this webapplication then it is getting resolved but I thing it is directly accessing this site and bypassing adfs environment. Can you please help me to get understand this two organizations trust in ADFS 3.0 that after creating relaying party and adding identifier, is ther any need to create forest level trust between both organization or not? If not then how account org user will resolve resource org web site name? If yes then please let me know how?

    Thanks 

    Monday, April 7, 2014 7:10 AM

Answers

  • Hiya,

    ADFS is designed to provide identity validation across normal identity directory boundaries. That is, ADFS should not be used within the same directory, but between two directories. It provides the ability to authenticate across domains, without creating domain trusts. You do need to create a trust between the two federators. That is done using Relying party / Identity Provider configurations.

    The referenced link might give you an understanding of the basics of ADFS infrastructure. This does not represent the authentication flow, but configurations.

    http://jesperarnecke.wordpress.com/2014/03/28/identity-federation-infrastructure-overview/

    • Proposed as answer by pbbergs [MSFT] Monday, April 7, 2014 12:03 PM
    • Marked as answer by Amy Wang_ Monday, April 14, 2014 6:05 AM
    Monday, April 7, 2014 11:02 AM

All replies

  • Hiya,

    ADFS is designed to provide identity validation across normal identity directory boundaries. That is, ADFS should not be used within the same directory, but between two directories. It provides the ability to authenticate across domains, without creating domain trusts. You do need to create a trust between the two federators. That is done using Relying party / Identity Provider configurations.

    The referenced link might give you an understanding of the basics of ADFS infrastructure. This does not represent the authentication flow, but configurations.

    http://jesperarnecke.wordpress.com/2014/03/28/identity-federation-infrastructure-overview/

    • Proposed as answer by pbbergs [MSFT] Monday, April 7, 2014 12:03 PM
    • Marked as answer by Amy Wang_ Monday, April 14, 2014 6:05 AM
    Monday, April 7, 2014 11:02 AM
  • Hi Jesper Arnecke,

    I am still having confusion on this. I have created relaying party trust between two difference active directory organization. Now please let me know that I have to create Forest level trust between both organization or it is not required?

    Pavan S

    Monday, April 28, 2014 7:37 AM
  • Hiya,

    First of its Identity Provider in one direction and Relying Party in the other direction. It's not relying party in both directions.

    Secondly, you do not need to create ANY forest trust between the domains, if your authentication is using AD FS. The objective of AD FS is to provide cross domain authentication. The trust is between the two identity federation services. (AD FS servers)

    Monday, April 28, 2014 8:16 AM