Using ADFS with .local domain name

Question

I currently have a domain with abc.local domain name. Everything is on-premise including a 2013 Exchange server. I am planning a deployment of cloud services for voice and would like to use ADFS to authenticate the cloud softphones.

If I add an additional UPN Domain suffix of xyz.com to the existing domain will ADFS allow me to use the newly created UPN suffix (user@xyz .com) to authenticate the users?

Answer 1

First of all, when you deploy your farm, make sure the farm has a public name. Like abc.com. The domain part does not have to be your AD domain. And make sure that internal clients resolve the name of your farm like sts.abc.com to the private IP address of your ADFS server (or load balancer). Even if you do not need to make your ADFS farm available externally you should use a public name. That way few month from now, when you will have a need to authenticate remote user, it would just be a matter of deploying a WAP (ADFS proxY) and a public DNS record instead of having to redeploy everything.

Then from a UPN perspective, from a pure ADFS/ADDS perspective you don't need to have a routable name. So UPN in .local might do it. It will all depend of your cloud service requirements. Often they want a routable identifier (either a UPN or an email address that we can trust a client owned a namespace). For example, with Office 365, we need a routable UPN. So if that is the case of your cloud service, then yes you can add a UPN suffix to your forest and change the UPN of your user to use abc.com (for example) instead of abc.local.