1

I'm currently in the first stages of an ADFS roll-out. It looks like you need to install multiple "federation services" or instances of ADFS if you want to federate with the same party or SaaS application multiple times. Let's say that you have different user populations that use private instances of an application or you have several sandbox environments and a production environment. How are other people handling that?

Let's say I would like to have one instance of ADFS. All of my accounts are in one domain. There is one AD environment. Different sets of users have independent, unique, instances of a SaaS application.

Let's say saasprovider.com/groupa and saasprovider.com/groupb which are mutually exclusive.

Several people have mentioned realms and etity id's to me...please be specific. I can't give them the same metadata document for the second RP trust. I have to have another STS or ADFS instance, right? You can only have one ertity id per federation service installation, right?

Joshua Toon
  • 91
  • 1
  • 6

2 Answers2

1

It all depends and how many instances of AD you require?

Each instance of AD in a separate domain requires another instance of ADFS.

You can add the same RP as many times as you like as long as the entity id, realm etc. are different.

So you can install the same RP in many different environments and they can all use the same instance of ADFS.

rbrayb
  • 1,098
  • 1
  • 12
  • 20
  • OK. So all of my accounts are in one domain. I give my metdata doc to a SaaS provider...we get the RP set up. That's for one set of users. I have another set of users, in the same domain, using different instances of that same SaaS provider app. I can't give them the same federation metadata doc again...and nothing in the metadata doc has changed. – Joshua Toon Nov 11 '13 at 19:29
  • How do you change the entity id and / or realm? – Joshua Toon Nov 11 '13 at 19:35
  • You have two instances of the SaaS provider. The metadata they give you must be different for each because the URL etc. must be different. So import the two instances of metadata into two separate RP on the same ADFS. The entity id etc. is part of the metadata they provide. Both instances use the same ADFS metadata since there is only one ADFS instance. – rbrayb Nov 11 '13 at 20:02
  • But the metadata document that I give them is the same...and they can't import it because of that...does that mean I need another instance? – Joshua Toon Nov 11 '13 at 23:45
  • 1
    If they have that restriction then I guess you'll need two instances of ADFS. – rbrayb Nov 12 '13 at 00:51
1

You should have one STS per identity database (1 ADFS per Active Directory forest) and one RP per application deployment (FederationMetadata.xml document loaded as a relying party in ADFS).

Production and Dev, for example, can be two RPs on the same ADFS server. The Federation Metadata should change with the installation.

Each client application will specify a different entity id (EntityDescriptor/@entityID) per each installation. It is conventional to have the entity ID be the same as the root of the application installation. So if you access dev at http://server/dev/Default.aspx and prod at http://server/prod/Default.aspx, then your entities might be http://server/dev/ and http://server/prod/ respectively.

In terms of the actual configuration, you don't need a FederationMetadata.xml file if you enter the parameters manually. Otherwise, you can generate the file on demand using System.IdentityModel.Metadata (for .Net 4) or Microsoft.IdentityModel.Protocols.WSFederation.Metadata (for <= .Net 3.5 on WIF).

Mitch
  • 2,343
  • 14
  • 22