none
SSO and ADFS

    Question

  • Hi,

    I am working on a large SSO and Federation solution.

    Requirement is to provide SSO solution for a large number of mixed application which is Microsoft .Net, Oracle, Java and many more.

    HR and Payroll, ERP and Finance, CRM, IT Service management and help desk, Cloud Application like Office 365.

    Applications are currently using different source of authentication. I will update on this further.

    The intention is to access those application from internally as well as from internet.

    Also, need to provide partner access.

    My Query: Does MS ADFS going to help  as a tool to build SSO for all the application above situation SSO from intranet, internet and partner site.

    or ADFS can only work for the partner access.

    Or do I need any other SSO provider with some meta directory solution like IDM tool and SSO provider.

    Please input your valuable suggestions.


    Soumen Ghosh

    Wednesday, August 21, 2013 12:53 AM

All replies

  • Hi Soumen,

    ADFS can deliver SSO for users from the internet, intranet and for partners. You can use ADFS in combination with a IDM tool such as Forefront Identity Manager. Regarding the applications, make sure they support SAML/WS-fed. If not, application customization might be needed.


    Find me on linkedin: http://nl.linkedin.com/in/tranet


    • Edited by Robin Gaal Wednesday, August 21, 2013 2:15 PM
    Wednesday, August 21, 2013 2:15 PM
  • You could protect the non .NET applications with something like OpenAM and then federate that with ADFS. This uses an agent that sits outside of the application.

    Failing that, you are left with customisation as @Robin suggests.



    • Edited by nzpcmad1 Wednesday, August 21, 2013 7:11 PM Expand
    Wednesday, August 21, 2013 7:09 PM
  • Hi,

    Thanks for your responses.

    I am proposing OAM for enterprise SSO as lot of application are from Oracle side and then ADFS for federation services with partners.

    Also, we have requirement to allow some application access for non partner external users.

    1. Can we integrate or co-exist OAM --ADFS for same set of applications?

    2. ADFS Server placement- Can I use Federated Web SSO Design as per Tech Net http://technet.microsoft.com/en-us/library/dd807050.aspx

    Suggested Servers:

    2 ADFS Server Farm @ Internal Network using H/W NLB

    2 ADFS Proxy @ Perimeter Network using H/W NLB

    1 AD DS @ Perimeter Network for external users

    1 Perimeter DNS

    Also, can I keep our application servers inside corporate network or I have to place them in perimeter network for external or partner access.

    Suggestions are highly appreciated.

    Thanks,

    Soumen


    Soumen Ghosh

    Saturday, August 24, 2013 6:19 AM
  • ADFS is does not act as a proxy so if you want the applications be accesable from "the internet"(external) they need to be placed in the perimeter network or somewhere else in the cloud.

    ADFS can intergrate with OAM being an IDP for each other with a federation trust.

    What is the reason you want to deploy AD DS in the perimeter?


    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Monday, August 26, 2013 8:34 AM
  • Hi Robin,

    Thanks!

    Regarding the ADDS in perimeter. I am planning to put it for external and 3rd party vendor/contractor users, there are a lot of users, say 20K users.

    Is it feasible.

    One more query, I am little bit confused.

    Can we use the above Federated Web SSO solution and provide the SSO for internal users(Intranet) as well for application like MS CRM, SharePoint and other .net applications.

    In that case , do I have to place the applications in perimeter.

    How, can I manage SSO for internet and internal users for same set of application.

    What should be the server placement?

    Thanks,

    Soumen


    Soumen Ghosh

    Monday, August 26, 2013 9:04 AM
  • The story is a bit confusing.. What is the plan exactly?

    -ADFS for EXTERNAL(&partner) users only, connected to the NEW AD DS?

              -Why is the new AD DS in the perimeter? This is not a common practice.

    -OAM for INTERNAL users only? does this one connect to the internal AD DS? Can OAM dilever kerberos/ntlm based authentication for SSO like ADFS does?

           -Does OAM has something compareable to ADFS proxy/an access point for users from the internet?

           -Why OAM? If the oracle applications support the SAML protocol this should just work as well with ADFS, which would symplify the overall architecture using only ADFS as IDP.

    -Deciding which applications should be in the perimeter is determent of which applications should be accesible from the internet.


    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Monday, August 26, 2013 11:11 AM
  • Hi Robin,

    Main intention is to provide SSO for both internal and external users.

    ADFS can by default provide SSO for claims aware/.Net application like CRM, SharePoint etc.

    For Oracle ERP, or other Oracle application I think we should need some Identity federation tool from Oracle (like OIF, even if we don't use OAM) and then can configure interoperability with ADFS? Or I can simply integrate them with ADFS if they support SAML stack?

    Internal application will talk to internal ADDS. For oracle application already Oracle IDM is planned to sync with internal AD.

    Regarding the perimeter ADDS. just a thought to manage external users/contractor users. It will have no connection with the internal ADDS. Is it okay or I am going wrong with the perimeter ADDS?

    Lastly, placement of application if a application need to share for both internal and external users I have to place them in perimeter? No other choice?

    Thanks,

    soumen


    Soumen Ghosh

    Monday, August 26, 2013 11:42 AM
  • ADFS can by default provide SSO for claims aware/.Net application like CRM, SharePoint etc.
    -That will do the job.

    For Oracle ERP, or other Oracle application I think we should need some Identity federation tool from Oracle (like OIF, even if we don't use OAM) and then can configure interoperability with ADFS? Or I can simply integrate them with ADFS if they support SAML stack?
    -They can just intergrate with ADFS if they supporte SAML stack.

    Regarding the perimeter ADDS. just a thought to manage external users/contractor users. It will have no connection with the internal ADDS. Is it okay or I am going wrong with the perimeter ADDS?
    -Is it possible to intergrate those external users/contractors in the Internal AD? Those externals also need to authenticate to the ADFS solution your building so if that is not possible you need the ADDS instance(can be on the internal network) and maybe even a second ADFS instance.

    Lastly, placement of application if a application need to share for both internal and external users I have to place them in perimeter? No other choice?
    -Or in the cloud. Another option is place the apps internally and give all external users VPN access which is not better.


    Find me on linkedin: http://nl.linkedin.com/in/tranet

    Monday, August 26, 2013 12:12 PM