Article ID: 2510193 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article provides an overview of various Active Directory Federation Services (AD FS) scenarios and their implications for single sign-on (SSO) in Office 365, Microsoft Azure, or Microsoft Intune.

MORE INFORMATION

As with most enterprise-level services, the AD FS Federation Service (leveraged for SSO) can be implemented in many ways, depending on business needs. The following AD FS scenarios focus on how the on-premises AD FS Federation Service is published to the Internet. This is a very specific aspect of AD FS implementation.

Scenario 1: Fully implemented AD FS

Description
An AD FS Federation server farm services Active Directory client requests through SSO authentication. An AD FS (load balanced) Federation server proxy exposes those core authentication services to the Internet by relaying requests and responses back and forth between Internet clients and the internal AD FS environment.

Recommendations
This is the recommended implementation of AD FS.

Support assumptions
There are no support assumptions for this scenario. This scenario is supported by Microsoft Support. 

Scenario 2: Firewall-published AD FS

Description
An AD FS Federation server farm services Active Directory client requests through SSO authentication. A Microsoft Internet Security and Acceleration (ISA) / Microsoft Forefront Threat Management Gateway (TMG) server (or server farm) exposes those core authentication services to the Internet by reverse proxy.

Limitations
Extended Authentication Protection must be disabled on the AD FS Federation server farm for this to work. This weakens the security profile of the system. For security considerations, we recommend that you do not do this.
Support assumptions
It's assumed that the ISA/TMG firewall and reverse proxy rule are implemented correctly and are functional. For Microsoft Support to support this scenario, the following conditions must be true:  
  • The reverse proxy of HTTPS (port 443) traffic between the Internet client and the AD FS server must be transparent.
  • The AD FS server must receive a faithful copy of SAML requests from the Internet client.
  • Internet clients must receive faithful copies of SAML responses as if the clients were directly attached to the on-premises AD FS server.
For information about common problems that can cause this configuration to fail, see the following resources:

Scenario 3: Non-published AD FS

Description
An AD FS Federation server farm services Active Directory client requests through SSO authentication, and the server farm isn't exposed to the Internet by any method.

Limitations
Internet clients (including mobile devices) can't use Microsoft cloud service resources. For service-level reasons, we recommend that you do not do this. 

Outlook rich clients cannot connect to Exchange Online resources. For more information, see the following Microsoft Knowledge Base article: 
2466333 Federated users can't connect to an Exchange Online mailbox
Support assumptions
It's assumed that the customer acknowledges by implementation that this setup doesn't provide the fully advertised suite of services that are supported by Azure Active Directory (Azure AD). Under these circumstances, this scenario is supported by Microsoft Support. 

Scenario 4: VPN-published AD FS

Description

An AD FS Federation server (or Federation server farm) services Active Directory client requests through SSO authentication, and the server or server farm isn't exposed to the Internet by any method. Internet clients connect to and use AD FS services only through a virtual private network (VPN) connection to the on-premises network environment.

Limitations

Unless Internet clients (including mobile devices) are VPN-capable, they can't use Microsoft cloud services. For service-level reasons, we recommend that you do not do this. 

Outlook rich clients (including ActiveSync clients) can't connect to Exchange Online resources. For more information, see the following Microsoft Knowledge Base article:
2466333 Federated users can't connect to an Exchange Online mailbox
Support assumptions

It's assumed that the customer acknowledges by implementation that this setup doesn't provide the fully advertised suite of services that are supported by identity federation in Azure AD. 

It's assumed the VPN is implemented correctly and is functional. For this scenario to be supported by Microsoft Support, the following conditions must be true: 
  • The client can connect to the AD FS system by DNS name through HTTPS (port 443).
  • The client can connect to the Azure AD federation endpoint by DNS name by using appropriate ports/protocols. 

High-availability AD FS and Azure AD identity federation

Each scenario can be varied by using a stand-alone AD FS Federation server instead of a server farm. However, it's always a Microsoft best-practice recommendation that all critical infrastructure services be implemented by using high-availability technology to avoid loss of access.

On-premises AD FS availability directly affects Microsoft cloud service availability for federated users, and its service level is the responsibility of the  customer. The Microsoft TechNet library contains extensive guidance on how to plan and deploy AD FS in the on-premises environment. This guidance can help customers reach their target service level for this critical subsystem. For more information, go to the following TechNet website: 
http://technet.microsoft.com/en-us/library/adfs2(WS.10).aspx

REFERENCES

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.

Properties

Article ID: 2510193 - Last Review: December 12, 2014 - Revision: 18.0
Applies to
  • Microsoft Azure cloud services
  • Microsoft Azure Active Directory
  • Microsoft Office 365
  • Microsoft Intune
  • CRM Online via Office 365 E Plans
  • Microsoft Azure Recovery Services
  • Office 365 Identity Management
Keywords: 
o365 o365e o365a o365m o365022013 KB2510193

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com