question

ElmerTubiera-2113 avatar image
0 Votes"
ElmerTubiera-2113 asked piaudonn answered

Reusing Windows Server 2012 R2 ADFS server

Hi,

We have a SSO project with SAP and we wanted to use ADFS.

I would like to inquire the best way on how to proceed:

  1. Use an existing ADFS server from a previous project. This server is used previously to provide SSO to a web application (Dealer Management System). This server is workng but project did not push through

  2. Install a new ADFS server

If we proceed with option 1, can we just reconfigure ADFS or do we need to reinstall?
If we proceed with option 2, is it possible to add a new ADFS server?

Appreciate your feedback.

Thanks and regards,

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered

ADFS (and any other IDP) are most of the time considered tier-0 or "control plane" security zone or level (cf: https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model). So in theory you could re-use. But the reality is that you probably didn't consider the first deployment as a tier-0/control plane type of asset. Therefore, re-using might lead to service exposure as you don't necessarily know who has access or had access to the service, its dedicated account, etc. If that's the case, I would consider creating a new farm taking in consideration all security recommendation from the start: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs.

There is no limit on how many ADFS farm you can have in a forest. As long as they use different names and URL, you are good to go. The only thing that the farms of a forest share between them is the device registration configuration. But that's rarely use anyway.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.