locked
Single Relying Party for multiple child domains? RRS feed

  • Question

  • Is it possible to configure a single Relying Party that can support multiple sub-domains?  For example, suppose I have a TLD of mydomain.com and configure a relying party entry for https://www.mydomain.com.  Is it possible to edit the RP configuration to allow www.child.domain.com to share the same authentication token from the same RP configuration?  Or do I need to create a separate RP configuration entry for each child domain?
    Wednesday, April 26, 2017 9:29 PM

All replies

  • The Relying Party is agnostic of the domain configuration. As long as the STS (ADFS in your case) gives a valid token to the user, it is good enough. The ADFS can authenticate any users which are in a trusted domain (same forest or bi-directional external trust).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Monday, May 1, 2017 2:55 AM
  • Thank for the response, but I was asking more about the federation realm, sorry I didn't make that more clear.  My back-end domain is a single domain but I am trying to understand how to properly handle federation trusts for websites under a parent domain.

    For example, a federation trust with domain parent.com which also handles authentication requests for websites in the child.parent.com sub-domain...

    Monday, May 1, 2017 10:28 PM
  • Does anyone have some info for me on this?  Really tying to understand if I need to have three different relying party trust configurations for www.domain.com, www.child1.domain.com, and www.child2.domain.com or if I can use the same RP for all three.

    Thanks!

    Monday, May 8, 2017 10:17 PM
  • Hey Chris,

    It is not clear why what you are asking wouldn't work out of the box. Your ADFS will have a fixed service name sts.yourdomain.com and your Service Provider can have an arbitrary URL. You can configure multiple endpoints for the same Relying Party so that if the Service provider has multiple subdomains they will all authenticate.

    When the ADFS generates a token, it will send an issuer claim that matches the service name of your ADFS. The UPN of the user can have any subdomain and the issuer will continue to be the same. So regardless of what context you bring up the subdomain - it should work with a single RP/ADFS service.

    There is one exception I can think of, and that is if you are overwriting your issuer value based on user data - the Office 365 relying party does this. In that case, you need to craft your issuer claim rule to ensure that the value you send matches the value expected by your Relying Party for the authentication attempt.

    For Office 365, this means ensuring that the issuer matches the parent domain of the UPN of the user logging in. See the link below for a rule that makes this work.

    https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-sso-to-office-365/

    Good luck!

    Shane

    Tuesday, May 9, 2017 1:24 AM