I had several ADFS and Single Sign On (SSO) questions from a large university in northern California proceeding with Office 365 for Education for faculty, staff and students.
What servers do I need to accommodate single sign on (SSO) aka Federated ID?
The following on premises servers are needed to accommodate SSO with Office 365:
Do we require ADFS proxies or can I just deploy an ADFS internal server?
Technically, you can get away with just ADFS servers and no proxy servers for Federated ID, we recommend you deploy ADFS proxies to protect your ADFS servers and to allow for client access restriction capabilities such as denying access to email when off campus or IP filtering.
Can I use TMG or UAG instead of an ADFS proxy server?
Currently, it is slated to be supported however the documentation is still being developed. In some cases, such as IP filtering, an ADFS proxy is still required in conjunction with UAG or TMG There is some initial documentation here.
Is there an order they need to be installed?
Yes, configure ADFS and federated ID first and then Directory Sync Server. You would think it is the other way however things run better when ADFS is configured prior to Dirsync.
Do I need full blown SQL Server with ADFS?
It depends on how you are going to implement ADFS and the total number of ADFS servers deployed. If you require stretched ADFS this requires full blown SQL to accommodate this scenario or if you require more than 5 ADFS servers WID cannot scale beyond that number of ADFS servers. See here for the differences between WID and SQL with ADFS or here for topology choices for ADFS.
What versions of SQL are supported?
WID, SQL 2008 R2, SQL 2012.
How many ADFS servers do I need for Federated ID?
Each ADFS server scale varies depending on load frequency such as will everyone be logging within a 15 minute interval or spread over an hour. This answer can range from 2 ADFS servers for 15,000 users with high availability with high load or many more users depending on your load frequency.
See the ADFS sizing calculator here to help narrow it down.
Can I enable geo-redundancy with ADFS?
Yes, it is possible to enable this with SQL mirroring/Replication to an alternate datacenter along with geoaware load balancers.
What happens if ADFS is unavailable?
ADFS is required to access Office 365 when using Federated ID (SSO). You want to ensure you have redundant ADFS proxies and ADFS servers to reduce any downtime to the cloud.
What type of hardware do I need for ADFS?
Make sure you do not underspec your ADFS servers as it does require some horsepower to run effectively:
Federation Service Server
· Dual Quad Core 2.27GHz (8 cores)
· 16GB RAM
· Gigabit Network
Federation Service Proxy Server
· Quad Core 2.24GHz (4 cores)
· 4GB RAM
Where can I get more information on deploying ADFS?
There is a good ADFS deployment guide here and a O365 ADFS deployment checklist here.
What version of Windows server, standard or enterprise, should be installed? I am assuming Windows Server 2008 R2 64bit. And is there any drive configuration requirements?
Any Windows Server 2008 OS version can work with ADFS 2.0. 64-bit is recommended. See here: support.microsoft.com/.../974408
Thanks for that image about transactional replication. Is there more documentation available on how to setup the replication for ADFS or is it very basic transactional replication?
Need SQL instead of default WID for ADFS:
Federation Server Farm Using SQL Server
High Availability Solutions Overview
Your SQL server would be mirrored from your datacenter to a DR (Disaster Recovery) datacenter. A nlb directs traffic between the two sites.
ADFS 2.0 High Availability and High Resiliency Walkthrough
Enhancing Federation Services for Internal and External Partners
I have customer with this infrastructure.
Single AD domain. It is divided in to three zones. At one zone in Europe, North America, Asia. At each zone has a domain controller. Each zone has several offices/subnets. At each office/subnet has a RODC (read only domain controller). The customer plans to use Office 365. He plans to deploy three federation servers (AD FS 2.0). Each zone has a single federation server.
Is it possible to configure Office 365 redirect internal users to the federation server in their zone? Users in Europe to get claim of federation server in Europe, Asian consumers from federation server in Asia, etc.
It all depends on your client location (intranet or internet), type of client requiring a SAML token (e.g. browser vs. Outlook) and your DNS configuration. These factors equate to which ADFS server is leveraged to get a SAML token. For example, browser OWA would perform a local DNS lookup to find the DNS server to get your token - if you isolate DNS to include only regional ADFS it will go to that server. Outlook however will use the DNS record for ADFS on the Internet since Exchange Online always proxies the token request on behalf of Outlook.
I don't see huge performance gains by regionalizing ADFS for SSO as it is essentially a web server that issues SAML tokens. There is value is doing this for redundancy but not peformance necessarily.
we have changed our domain to hosted and updated MX records at ISP side. Now we are planning to go ahead with the AD FS Installation. We are having four servers (entire new setup) - SCCM, SYMANTEC PDC and one for AD FS Farm.
My Questions are:
1. Whether we would require a FS Proxy Server in place to get the SSO enabled to O365. The users here will be using smartphones and public computers to access O365 and the headcount is less than 500. We have already tested the ActiveSync functionality and its working fine on smartfones without a FS Service in place. Could you give me a good idea about this as we are confused on the requirement of Proxy Server?
2. Do we really need a dedicated server for AD FS Installation? Can i install the AD FS on any existing servers (PDC, SCCM, ANTIVIRUS) ?
My customer want me to do all these setup using above four servers :(
1) As I mentioned above, ADFS Proxy servers are 'optional' to work with Office 365 however we recommend them in order to provide an additional layer of security for your ADFS servers. Think of the proxy role as similar to web proxy servers role. A lot of my customers in higher ed chose not to deploy ADFS proxies since they did not have a perimeter network and deploying just ADFS servers worked fine with Office 365. Net - ADFS proxies provide more security and client filtering capabilities so we are going to always recommend them as a best practice however whether or not you chose to deploy them is up to you.
2) Yes, you have to have a dedicated ADFS server where you cannot run other things like domain controller, system center, etc. The good news is you can make these ADFS servers virtual as long as you provide enough processor and RAM like stated above. I have seen customers have login issues because they did not put enough proc and ram on their virtualized ADFS servers. With 500 users, you should be in good shape however I would still deploy redundant ADFS servers to avoid single point of failure.
the first link has been removed and the 2nd deleted
"What versions of SQL are supported?
WID, SQL 2005 and SQL 2008."
I realize this was origiinally posted in 2011. Does this imply that SQL 2008 R2 is NOT supported at this time?
SQL Server 2008 R2 is now supported 2 years later. See here: technet.microsoft.com/.../gg982487(v=ws.10).aspx
Thanks for that response.
Can you provide any further information or any supporting documentation around perforenace from your statement:
"I don't see huge performance gains by regionalizing ADFS for SSO as it is essentially a web server that issues SAML tokens. There is value is doing this for redundancy but not peformance necessarily."
We have North American data centers with NA and European users.