ADFS 3 : Adding Multiple Domain

pn_07 6 Reputation points
2020-10-13T22:03:06.407+00:00

Currently we have ADFS running on server 2012r2 ... with DNS as adfs.firstdomain.com
Now we have a requirement to add second domain/DNS to our existing ADFS federation for one application.

For eg:
App 1 : https://adfs.firstdomain.com/adfs/ls/IdpInitiatedSignOn

App2 2 : https://adfs.Seconddomain.com/adfs/ls/IdpInitiatedSignOn

Please let me know how to achieve this.

Thanks

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,164 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,151 Reputation points Microsoft Employee
    2020-10-15T00:04:27.247+00:00

    So in theory yes we can set up something that does the trick from a DNS perspective. But there is a lot of caveats...

    You will need to make sure that you have the proper DNS record in company-b.com. An A record pointing to the same IP as the ADFS A record in company-a.com.
    You will need to ensure that the TLS (aka Service Communication Certificate) has the proper alternative subject name to reference either *.company-b.com or login.company-b.com on the top of the existing ones.
    You will need to add the SPN HOST/login.company-b.com to the ADFS service account in AD.
    You will need to make sure that the URL login.company-b.com is trusted in your browser to do Windows Integrated Authentication (else no single sign-on).
    On the ADFS server, you will need to configure the new SNI binding like:
    netsh http add sslcert hostnameport=login.company-b.com:443 certhash=<the thumbrint of your TLS cert> appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY

    Now, that's the theory, because in practice, this will not work all the time and is not officially tested. In other words, that's an unsupported configuration. The metadata of the ADFS farm will also not contain those URI/URL either and this will likely not work through a WAP. Better to work through those "restriction" IMO.