Hi, I am looking at setting up ADFS for 2 scenarios, one is using it for Lync Online to provide SSO experience to users, the other scenario is to provide SSO to a WordPress server (using SAML) that we have hosted somewhere in the cloud. I have started browsing the MS documentation and yet I would like to ask experienced folks about a couple of questions: - Which certificate should I purchase? The Subject Name of the SSL certificate must match the names used in the ADFS configuration. So far I can only think of one: adfs.company.com. Do I need a SAN or a *.company.com certificate at all? - Certificate for token signing, I read that it is not good practice to use the same certificate as the ADFS SSL one, so I would need to purchase a second certificate, does the Subject Name really matters? - Federation Server Proxy: I will use Server 2012R2, looks like FS proxy is replaced by WAP Web Application Proxy as I cannot find the proxy server role, what type of certificate do I need for that? Finally do you have some good material to help me getting started? Thanks very much.
ADFS server setup
- 304 Views
- Last Post 29 July 2014
I addition to what Patrick said, I'll throw in a few things:
For the SSL components, I definitely recommend you use a publicly rooted SSL cert from a good vendor. If you use an internally issued cert, you'll be much more limited in the devices that will trust it and will have a much more difficult time establishing trust on devices you don't manage. This is definitely the right time to buy something. In terms of what SSL cert to get (wildcard, SAN, etc.), start by planning out what host names you'll use to access your ADFS service. Mine uses a single host name and I get by with a simple SSL cert. If you think you'll need different host names or want to use the cert for multiple things, SAN or wildcard will give you more flexibility. Be careful with wildcards though. They can be dangerous if abused.
For token signing, I generally use a publicly rooted SSL cert for this too since this helps alleviate concern that any given third party relying party will trust it. However, the emerging best practice seems to be moving toward self-signed certs. For your scenario you can probably get away with this and save some money. The discussion on this get's pretty philosophical at a certain level. I will say that the worst thing you can do is to use a cert issued by your internal PKI. PKI certs with internal trust are the devil for IdPs and should be avoided.
This link contains reference material and deployment guides for ADFS/WAP in Server 2012/R2. http://technet.microsoft.com/en-us/library/hh831502.aspx
Thanks Tim for the link.
I have a couple of other questions.
After reading the documentation available in the link you provided, I am moving towards the design part and I am looking at guarantying redundancy.
As for the Database choice: we’ll never have more than 2 to 4 Federation Servers (we are a small shop with around 200 users). So I would naturally
go with WID over SQL, but I need redundancy. Apparently what I would need to do I set up NLB with at least 2 Federation Server running WID. I have read some bad reviews for NLB at the time I was looking for Load Balancing for our CAS servers for Exchange,
do you recommend it at all for ADFS?
What would influence my decision Database wise is the need for SAML artifact resolution. I mentioned earlier that we would need to use SAML to connect
to some application servers outside our organization, one example would be a cloud-based appliance running our HR system. But I am not sure if SAML artifact resolution is needed or will ever be used, is that something I need to check with our appliance vendor?
As for extending what ADFS will do for us, we’ll likely use Work Folders, Workplace Join in the future so this would make sense to have External presence,
therefore using Web Application Proxy, there again for providing redundancy (we do not own any hardware load-balancer and do not have budget for it yet) I am looking at using NLB. Any comments? Anyone has a similar setup and is happy with it?
We do not have the budget for SQL clustering so I will have to stick with WID. As per MS documentation, I can have an ADFS farm running WID (but it
looks like failover has to be initiated manually)
This is from ADFS 2.0 documentation (but I assume it is still valid for Windows 2012R2 with ADFS 3.0)
The WID database on the primary server is read/write and the WID database on the secondary server(s) are read-only. Changes made to the configuration
are made only on the primary Federation Server and those changes are replicated (5 minutes interval by default) to the secondary servers via WID database synchronization.
In the event that the primary Federation Server becomes unavailable and will not be brought back online, the administrator needs promote one of the
secondary Federation Servers to primary for the farm
Thank you for your feedback on these topics.