- The forest trust is enough. You'll have single sign-on without adding an ADFS in forest B.
- If your goal is to provide SSO, then it is required. But you might have other requirements such as delegation, or internal policies that would make the use of a "central" ADFS farm difficult. Note that when an ADFS farm trusts another one, the users will be asked to pick which farm they are from. It is called Home Realm Discovery, it can be tuned to some extend but ultimately it might change the way the authentication work for users in both sides.
ADFS for two forest with two way bi-directional trust
I have a scenario, in which we have two seperate forests A and forest B. There is a two way bi-directional trust between them.
I have ADFS in forest A and there are many relying party applications ( SAML based ) in forest A.
I want my users in forest B, to access applications in forest A.
- Will it require to have ADFS in forest B or forest trust will do the job?
- Does it make sense to have Forest trust and also create ADFS trust between the two ADFS A and B for such a scenario ?
Sign in to comment
Sort by: Most helpful
Any inputs ?