多域环境中的ADFS部署 [英] ADFS deployment in multi domain environment
问题描述
大家好,
我遇到一个客户问题。
他们希望将ADFS用于联合SSO,但他们现有的AD基础架构确实是有线的。
他们有一个父域作为parent.com,并且他们有两个子域:child1.parent.com和child2.parent.com。直到现在一切看起来都不错。看起来像一片森林。他们希望仅向parent.com域的一些
特权用户授予child1.parent.com用户SSO权限。
现在,他们已经收购了三家公司,他们拥有不同的森林,例如company1.com,company2.com和company3.com。这些域名并未归入其主要域名。
所以,现在,他们有4个独立的森林。由于他们开始为用户提供SSO服务,他们也希望向company2.com和company3.com用户提供SSO权限。
我已在一个林下部署了ADFS并配置了SSO,但这对我来说是新的。所以我确定了以下方法: -
1。他们应该将所有域名置于一个森林之下。 (这将使我的生活变得轻松,但似乎是一件昂贵的事情)
2。为每个林部署多个ADFS服务器。 (它将为同一服务(例如GoogleApps)创建多个IDP URL。
3。实现一些自定义解决方案并通过它集成所有Forests并使用自定义解决方案配置ADFS。 (需要大脑强调和定制开发。增加时间和成本)
4。使用林到林双向信任,并仅使用ADFS配置一个域。在内部,他们可以通过kerberose进行身份验证。 (似乎不错,但对可行性知之甚少)
请提供您经验丰富的宝贵建议。
我个人应该说:
1.为了让生活更轻松,但如果那是不可能的(我可以想象),请选择2.
$
2.为每个森林部署ADFS。为了避免使用多个IDP URL,您可以将4个ADFS服务器中的1个设置为某种"联合集线器",并将声明提供程序信任(联合)设置为其他3个ADFS服务器。
所以你有b
GoogleApps - 信任 - > ADFS#forest1
ADFS#forest1 - trusts - > ADFS#forest2
ADFS#forest1 - trusts - > ADFS#forest3
ADFS#forest1 - trusts - > ADFS #forest4
查看Jon的这篇博文中的第一张图片,使其更具视觉效果:http://blog.torresdal.net/2010/04/19 /家庭领域发现合WIF-和ADFS-2-0逐查询字符串/
Hi All,
I have one customer problem.
They want to use ADFS for Federated SSO but their existing AD infrastructure is really wired.
They have one parent domain as parent.com and under that they have two child domain: child1.parent.com and child2.parent.com. Till now everything looks good. Look like one forest. They want to give SSO privileges to child1.parent.com users only with some privileged users of parent.com domain.
Now, they had acquired three companies and they had their different forests e.g. company1.com, company2.com and company3.com. These domains they have not brought under their main parent domain.
So, now, they have 4 independent forests. As they are starting with SSO service for their users, they want to give SSO privileges to company2.com and company3.com users also.
I have deployed ADFS and configured SSO under one forest but this is something new for me. So I have identified the below approaches:-
1. They should bring all domains under one forest. (That will make my life easy but seems to be a costly affair)
2. Deploy multiple ADFS servers for each forests. (It will create more than one IDP URL for same service e.g. GoogleApps).
3. Implement some custom solution and integrate all the Forests through that and configure ADFS with custom solution. (Need brain stroming and custom development. Increase time and cost)
4. Use forest to forest bidirectional trust and configure only one domain with ADFS. Internally they can authenticate over kerberose. (Seems good option but do not know much about feasibility)
Please provide your experienced valuable suggestions.
Personally I should say:
1. To make your life easy, but if that is not possible (which I can imagine) go with 2.
2. Deploy ADFS for each forest. To avoid the multiple IDP url's you could setup 1 of the 4 ADFS servers as some kind of a "federation hub", with claim provider trusts (federations) towards the other 3 ADFS servers.
So you have
GoogleApps --trusts--> ADFS#forest1
ADFS#forest1--trusts--> ADFS#forest2
ADFS#forest1--trusts--> ADFS#forest3
ADFS#forest1--trusts--> ADFS#forest4
Check first picture in this blogpost from Jon which makes it a bit more visual: http://blog.torresdal.net/2010/04/19/home-realm-discovery-in-wif-and-adfs-2-0-by-query-string/
这篇关于多域环境中的ADFS部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
