Home / server / Questions / 554199
Accepted
Joshua Toon
Asked: 2013-11-12 09:25:28 +0800 CST

Are multiple ADFS instances needed when federating to the same party multiple times?

  • 772

I'm currently in the first stages of an ADFS roll-out. It looks like you need to install multiple "federation services" or instances of ADFS if you want to federate with the same party or SaaS application multiple times. Let's say that you have different user populations that use private instances of an application or you have several sandbox environments and a production environment. How are other people handling that?

Let's say I would like to have one instance of ADFS. All of my accounts are in one domain. There is one AD environment. Different sets of users have independent, unique, instances of a SaaS application.

Let's say saasprovider.com/groupa and saasprovider.com/groupb which are mutually exclusive.

Several people have mentioned realms and etity id's to me...please be specific. I can't give them the same metadata document for the second RP trust. I have to have another STS or ADFS instance, right? You can only have one ertity id per federation service installation, right?

adfs

2 Answers

  1. It all depends and how many instances of AD you require?

    Each instance of AD in a separate domain requires another instance of ADFS.

    You can add the same RP as many times as you like as long as the entity id, realm etc. are different.

    So you can install the same RP in many different environments and they can all use the same instance of ADFS.

    • 1
  2. Best Answer

    You should have one STS per identity database (1 ADFS per Active Directory forest) and one RP per application deployment (FederationMetadata.xml document loaded as a relying party in ADFS).

    Production and Dev, for example, can be two RPs on the same ADFS server. The Federation Metadata should change with the installation.

    Each client application will specify a different entity id (EntityDescriptor/@entityID) per each installation. It is conventional to have the entity ID be the same as the root of the application installation. So if you access dev at http://server/dev/Default.aspx and prod at http://server/prod/Default.aspx, then your entities might be http://server/dev/ and http://server/prod/ respectively.

    In terms of the actual configuration, you don't need a FederationMetadata.xml file if you enter the parameters manually. Otherwise, you can generate the file on demand using System.IdentityModel.Metadata (for .Net 4) or Microsoft.IdentityModel.Protocols.WSFederation.Metadata (for <= .Net 3.5 on WIF).

    • 1