Educause Security Discussion mailing list archives
Re: ADFS experience with Sharepoint and other SSO/SAML systems
From: Kevin Halgren <kevin.halgren () WASHBURN EDU>
Date: Tue, 20 Jan 2015 17:18:57 +0000
I can't find it now, but I found an article at one point on the Microsoft blog where they mentioned that, despite the Microsoft network load balancer being explicitly on the Exchange installation instructions, the Microsoft internal Exchange team strongly recommended against it for a variety of reasons, not the least of which was reliability. We're running the Loadbalancer.org load balancer in the AWS cloud at the moment - primarily because it was the cheapest option. If our Internet link goes down, so does the link to that load balancer, but on the other hand if the Internet goes down so does our access to Office 365, so it doesn't matter so much anyway. We can do a workaround with a DNS change to on-campus resources if there is an extended outage so at least we have a fallback plan. Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Tuesday, January 20, 2015 10:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ADFS experience with Sharepoint and other SSO/SAML systems I've heard the same thing about Microsoft's load balancer from another source; good to hear confirmation of it. This will be in a VM environment, so that is good to know. I have talked with someone using a Kemp load balancer with good effect, but that is another cost to add to the project that may sway the decision. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Halgren Sent: Tuesday, January 20, 2015 8:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] ADFS experience with Sharepoint and other SSO/SAML systems Make sure you implement with ADFS 2012R2 (sometimes referred to as ADFS 3.0), it's much simpler to set up and manage than 2.0, has lower resource utilization overhead, and doesn't have the compatibility issues with Google Chrome that 2.0 does. We've used the SharePoint in Office 365 and we've had numerous problems with people sending links to SharePoint that don't work for people using Google Chrome. ADFS 2012R2 requires Windows Server 2012R2 and has remarkably modest resource requirements. I have a cloud-based test instance running on 1 CPU and 1GB of RAM (AWS free tier) and it runs just fine - yes 1GB RAM!. I strongly advise against using the Microsoft network (software) load balancer - it was the cause of all the service-impacting issues we encountered here, in particular there are some issues with it running in a VMware environment. Front-ending it with an external load balancer eliminated this problem. Once set up, there's very little maintenance required. When we implemented, DirSync was placed on a separate server. It can now be installed on a domain controller, though we're not going to bother moving ours. Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Monday, January 19, 2015 3:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] ADFS experience with Sharepoint and other SSO/SAML systems We're looking to implement ADFS for single sign on for a Sharepoint 2013 portal we are implementing. We would also use it for other SAML compliant systems on and off campus as well as for Office 365 which is currently using DirSync. I'm looking for experiences with ADFS in that type of environment, particularly with reliability and manageability. We're a small school and don't have the staff for a product that requires too much baby sitting. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email]
Current thread:
- ADFS experience with Sharepoint and other SSO/SAML systems Thomas Carter (Jan 19)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Miguel Angel Gonzalez de la Torre (Jan 19)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Kevin Halgren (Jan 20)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Thomas Carter (Jan 20)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Kevin Halgren (Jan 20)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Michael Young (Jan 20)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Thomas Carter (Jan 20)
- Re: ADFS experience with Sharepoint and other SSO/SAML systems Dexter Caldwell (Jan 20)