Re: ADFS experience with Sharepoint and other SSO/SAML systems

[Kevin Halgren <kevin.halgren () WASHBURN EDU>]

I can't find it now, but I found an article at one point on the Microsoft blog where they mentioned that, despite the 
Microsoft network load balancer being explicitly on the Exchange installation instructions, the Microsoft internal 
Exchange team strongly recommended against it for a variety of reasons, not the least of which was reliability.

We're running the Loadbalancer.org load balancer in the AWS cloud at the moment - primarily because it was the cheapest 
option.  If our Internet link goes down, so does the link to that load balancer, but on the other hand if the Internet 
goes down so does our access to Office 365, so it doesn't matter so much anyway.  We can do a workaround with a DNS 
change to on-campus resources if there is an extended outage so at least we have a fallback plan.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Tuesday, January 20, 2015 10:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ADFS experience with Sharepoint and other SSO/SAML systems

I've heard the same thing about Microsoft's load balancer from another source; good to hear confirmation of it. This 
will be in a VM environment, so that is good to know. I have talked with someone using a Kemp load balancer with good 
effect, but that is another cost to add to the project that may sway the decision.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Halgren
Sent: Tuesday, January 20, 2015 8:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ADFS experience with Sharepoint and other SSO/SAML systems

Make sure you implement with ADFS 2012R2 (sometimes referred to as ADFS 3.0), it's much simpler to set up and manage 
than 2.0, has lower resource utilization overhead, and doesn't have the compatibility issues with Google Chrome that 
2.0 does.  We've used the SharePoint in Office 365 and we've had numerous problems with people sending links to 
SharePoint that don't work for people using Google Chrome.

ADFS 2012R2 requires Windows Server 2012R2 and has remarkably modest resource requirements.  I have a cloud-based test 
instance running on 1 CPU and 1GB of RAM (AWS free tier) and it runs just fine - yes 1GB RAM!.

I strongly advise against using the Microsoft network (software) load balancer - it was the cause of all the 
service-impacting issues we encountered here, in particular there are some issues with it running in a VMware 
environment.  Front-ending it with an external load balancer eliminated this problem.

Once set up, there's very little maintenance required.

When we implemented, DirSync was placed on a separate server.  It can now be installed on a domain controller, though 
we're not going to bother moving ours.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Monday, January 19, 2015 3:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] ADFS experience with Sharepoint and other SSO/SAML systems

We're looking to implement ADFS for single sign on for a Sharepoint 2013 portal we are implementing. We would also use 
it for other SAML compliant systems on and off campus as well as for Office 365 which is currently using DirSync. I'm 
looking for experiences with ADFS in that type of environment, particularly with reliability and manageability. We're a 
small school and don't have the staff for a product that requires too much baby sitting.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]