Share via

Migrating away from on prem ADFS to Entra ID still authenticating on prem.

Bjarki Björgúlfsson - RB 20 Reputation points
2024-01-19T14:51:10.2466667+00:00

Greetings,

We are running an on prem ADFS (version 2019). One of the main activities we use ADFS for is acting as an STS for our API via service to service communication. Our clients (API consumers) are configured as trusted claim providers, in other words, when they want to call our API through their API on behalf of their users, they present a SAML token that is originated from their IDP to our STS (ADFS) and in exchange they get another SAML token they can use to call our API. Furthermore the claims in the SAML token they receive from our STS has been enriched with acceptance transform ruleset, since our ADFS knows which IDP the token is originated from.

We would like to migrate away from ADFS but we need the above authentication flow to take place on prem. Can this be achieved using Entra ID in hybrid mode? Ideally we would like the administration interface to reside in the cloud but the actual authentication flow take place entirely without dependency on the cloud.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
631 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,213 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,005 questions
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,351 Reputation points
    2024-01-31T06:59:07+00:00

    Hello @Bjarki Björgúlfsson - RB , althought you can keep user authentication on-premise implenting Microsoft Entra pass-through authentication, the STS will still be cloud-only. The option then is to keep ADFS as the on-premise STS and federate Entra ID with the former.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 2,480 Reputation points Microsoft Employee
    2024-01-19T14:59:11.7766667+00:00

    Hello @Bjarki Björgúlfsson - RB
    Yes, it is possible to achieve a similar authentication flow using Microsoft Entra ID in hybrid mode. Microsoft Entra ID’s hybrid identity solution creates a common user identity for authentication and authorization to all resources, regardless of location.

    This is accomplished through provisioning and synchronization. In the hybrid mode, you can configure Microsoft Entra hybrid join. This allows your devices to maximize user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can also secure access to your resources with Conditional Access.

    For the actual authentication flow to take place entirely without dependency on the cloud, Microsoft Entra hybrid join requires devices to have access to certain Microsoft resources from inside your organization’s network.

    However, please note that the specifics of your implementation may vary based on your organization’s needs and existing infrastructure.

    I hope this answers your question.