Educause Security Discussion mailing list archives
Re: ADFS Experience
From: Miguel Angel Gonzalez de la Torre <mglez () ITESM MX>
Date: Tue, 21 Oct 2014 20:16:12 +0000
Greetings Kevin. We are implementing our test enviroment for DRP of ADFS, but in another data center we have. For high availability we have a farm of adfs and proxys and a cluster for the database, since we manage mor than 100,000 users. Could you share your results of the azure test? Thanks in advance. Ing. Miguel Angel González de la Torre, MCC Director Seguridad de la Información Dirección de Tecnologías de Información Contáctame por Lync<sip:mglez () itesm mx> Instituto Tecnológico y de Estudios Superiores de Monterrey Tel.: 52 (81) 8158 2000, ext. 2936. Fax: 81 81582287 Enlace intercampus: 80-689-2936. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Halgren Sent: martes, 21 de octubre de 2014 03:08 p. m. To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] ADFS Experience ADFS 3.0 is supposed to add a self-service password reset, though ADFS 3.0 and ADFS 2.0 seem to be fundamentally very different so I don’t know how much experience in ADFS 2.0 will translate. We plan on putting up a self-service password reset through FIM, but because we had an immediate need when going live with Office 365, we set up a server using PWM (https://code.google.com/p/pwm/) which has worked quite well in the interim. We set up ADFS 2.0 with our Office 365 instance. One of the challenges, at least in 2.0, is high availability. Basically if you want high availability you’re going to have to put a load balancer in front of your ADFS servers. The built-in software load balancer they ask you to configure in Windows isn’t very good and we’ve found it’s absolutely not VM friendly, and certainly doesn’t give you much in terms or high availability. The Microsoft Exchange Team actually advises against using it in Exchange (article is a bit dated but given our experience still reasonably valid: http://www.stevieg.org/2010/11/exchange-team-no-longer-recommend-windows-nlb-for-client-access-server-load-balancing/ ). I’m working on building an ADFS stack in Azure as a test to give us some capability for continued access if our site link goes down. That includes in a Read-Only DC, ADFS server, and ADFS proxy all in a restricted private virtual network connected to ours via a VPN link. Of course we’ll lock the systems down tight, encrypt storage, and ensure that only the ADFS proxy external IP address and port 443 are Internet accessible. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ryan Hiebert Sent: Tuesday, October 21, 2014 10:11 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] ADFS Experience I’ve been away from the management of it for a while, but I set up ADFS with office 365, and it worked OK. There’s no self-service account reset, etc, with ADFS, which was one of the main features that I personally found lacking. I found attempting to customize ADFS to be quite difficult, and I never was able to do it, though admittedly I wasn’t able to put as much into trying as I would have liked. On Oct 21, 2014, at 10:03 AM, Thomas Carter <tcarter () AUSTINCOLLEGE EDU<mailto:tcarter () AUSTINCOLLEGE EDU>> wrote: We are looking at implementing ADFS for use with both Office 365 as well as on-site Sharepoint 2013 (with Ellucian Portal more specifically). I’m looking for input from anyone who has implemented ADFS for either/both of those and what their experience has been. I’m also interested in the on-going maintenance and problems experienced managing ADFS. Thomas Carter Network and Operations Manager Austin College 903-813-2564 <image001.gif>
Current thread:
- ADFS Experience Thomas Carter (Oct 21)
- Re: ADFS Experience Ryan Hiebert (Oct 21)
- Re: ADFS Experience Ryan Hiebert (Oct 21)
- Re: ADFS Experience Nicholas Roy (Oct 21)
- Re: ADFS Experience Miguel Angel Gonzalez de la Torre (Oct 21)
- Re: ADFS Experience Ryan Hiebert (Oct 21)
- Re: ADFS Experience Kevin Halgren (Oct 21)
- Re: ADFS Experience Miguel Angel Gonzalez de la Torre (Oct 21)
- Re: ADFS Experience Ryan Hiebert (Oct 21)