One of the recurrent question about ADFS 2.0 is how many Federation Server is needed in a cross domain or cross forest scenario.
The Active Directory Identity Provider is able to authenticate through Trust RelationShip. Cool ! But what kind of trust ?
Forest Scope and Trust Relationship Requirements
Based on my own test, here is an answer :
- In a forest, because all child domains are automatically trusted with bidirectionnal trust, only one federation service is necessary in the forest.
- When there are other forests, the minimum level of Trust Relationship is Bidirectionnal External Trust, as in the following schema
- External trust are not transitive. You can use Forest Trust and the transitivity to extend the scope of the Active Directory IdP
- If you have a selective Domain Or Forest Wide Authentication on your Trust Relationship, you have to a)dd the “Allow to authenticate” right to the trusted domain users
- The Name Suffix Routing allow you to restrict the access to the Trusting Forest. Check that the UPN of the remote users does not contain suffix that are disable. In the following example, the firstname.lastname@example.org cannot authenticates :
- You can also block specific UPN with an ADFS Deny Rule :
c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”, Value =~ “^.*@gemalto\.corp$”]
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “DenyUsersWithClaim”);