question

ParinDas-9406 avatar image
0 Votes"
ParinDas-9406 asked ·

ADFS for two forest with two way bi-directional trust

Hello Experts,

I have a scenario, in which we have two seperate forests A and forest B. There is a two way bi-directional trust between them.

I have ADFS in forest A and there are many relying party applications ( SAML based ) in forest A.

I want my users in forest B, to access applications in forest A.

Question:

  1. Will it require to have ADFS in forest B or forest trust will do the job?

  2. Does it make sense to have Forest trust and also create ADFS trust between the two ADFS A and B for such a scenario ?

Thank You

adfs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered ·
  1. The forest trust is enough. You'll have single sign-on without adding an ADFS in forest B.

  2. If your goal is to provide SSO, then it is required. But you might have other requirements such as delegation, or internal policies that would make the use of a "central" ADFS farm difficult. Note that when an ADFS farm trusts another one, the users will be asked to pick which farm they are from. It is called Home Realm Discovery, it can be tuned to some extend but ultimately it might change the way the authentication work for users in both sides.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank You for your answers.

However, its a case of co-existence, which means Users from Forest A will be migrated to Forest B. During this phase when the users are in forest B they still want to access applications protected by ADFS in Forest A.

So in such a case, where I have Bi-directional trust already enabled between A and B ( for migration of users), I can also use that for User in forest B to access the application in Forest A.

And the application access would be limited to LDAP,Kerberos based apps, claim-aware apps won't be accessible as they need SAML token for User in forest B. Please correct my understanding if its wrong.

On the other hand, if along with bi-directional Forest trust, I also create ADFS trust between A and B, in this case i understand that Users would be given an option from where they want to authenticate from and in this case - LDAP , kerberos based apps can be accessed using Forest trust and SAML claim based apps using ADFS ?

0 Votes 0 · ·

Hi Experts,

Any inputs ?

0 Votes 0 · ·