- The forest trust is enough. You'll have single sign-on without adding an ADFS in forest B.
- If your goal is to provide SSO, then it is required. But you might have other requirements such as delegation, or internal policies that would make the use of a "central" ADFS farm difficult. Note that when an ADFS farm trusts another one, the users will be asked to pick which farm they are from. It is called Home Realm Discovery, it can be tuned to some extend but ultimately it might change the way the authentication work for users in both sides.
ADFS for two forest with two way bi-directional trust
I have a scenario, in which we have two seperate forests A and forest B. There is a two way bi-directional trust between them.
I have ADFS in forest A and there are many relying party applications ( SAML based ) in forest A.
I want my users in forest B, to access applications in forest A.
- Will it require to have ADFS in forest B or forest trust will do the job?
- Does it make sense to have Forest trust and also create ADFS trust between the two ADFS A and B for such a scenario ?
Sign in to comment
Sort by: Most helpful
Thank You for your answers.
However, its a case of co-existence, which means Users from Forest A will be migrated to Forest B. During this phase when the users are in forest B they still want to access applications protected by ADFS in Forest A.
So in such a case, where I have Bi-directional trust already enabled between A and B ( for migration of users), I can also use that for User in forest B to access the application in Forest A.
And the application access would be limited to LDAP,Kerberos based apps, claim-aware apps won't be accessible as they need SAML token for User in forest B. Please correct my understanding if its wrong.
On the other hand, if along with bi-directional Forest trust, I also create ADFS trust between A and B, in this case i understand that Users would be given an option from where they want to authenticate from and in this case - LDAP , kerberos based apps can be accessed using Forest trust and SAML claim based apps using ADFS ?
Any inputs ?
Sign in to comment