Migrating away from on prem ADFS to Entra ID still authenticating on prem.

Bjarki Björgúlfsson - RB 20 Reputation points
2024-01-19T14:51:10.2466667+00:00

Greetings,

We are running an on prem ADFS (version 2019). One of the main activities we use ADFS for is acting as an STS for our API via service to service communication. Our clients (API consumers) are configured as trusted claim providers, in other words, when they want to call our API through their API on behalf of their users, they present a SAML token that is originated from their IDP to our STS (ADFS) and in exchange they get another SAML token they can use to call our API. Furthermore the claims in the SAML token they receive from our STS has been enriched with acceptance transform ruleset, since our ADFS knows which IDP the token is originated from.

We would like to migrate away from ADFS but we need the above authentication flow to take place on prem. Can this be achieved using Entra ID in hybrid mode? Ideally we would like the administration interface to reside in the cloud but the actual authentication flow take place entirely without dependency on the cloud.

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Identity Manager
{count} votes

Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2024-01-31T06:59:07+00:00

    Hello @Bjarki Björgúlfsson - RB , althought you can keep user authentication on-premise implenting Microsoft Entra pass-through authentication, the STS will still be cloud-only. The option then is to keep ADFS as the on-premise STS and federate Entra ID with the former.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-01-19T14:59:11.7766667+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.