Multiple Relying Party trusts on one ADFS implementation - drawbacks?

iconoclast88 61 Reputation points
2022-09-07T16:24:11.483+00:00

We have 365 as the only relying party trust.
If we add another for another service, is it muddying the waters in any way? Is it adding more overhead or complexity to updates, certificate renewals, troubleshooting, migrations, etc?

I just want to be able to speak intelligently about it and understand the risks.

thanks!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,189 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 141.2K Reputation points MVP
    2022-09-07T21:18:49.253+00:00

    Well, I dont work for Microsoft, just my opinion. I guess my point is that you dont need ADFS for 365 authentication, you can use Azure auth.

    But to your question, if you add another relying party it does mean that come cert renewal time for ADFS, you will need to take any additional relying party into account and ensure you handle the metadata updates. In the big picture, is that much of a big deal? Probably not, and the troubleshooting - whether its in Azure or with ADFS is really the same in most respects - it usually comes down to some claim not being sent correctly :)

    As far a migrations, if you mean migration to the next version of Windows/ADFS or Azure, then yep, if you can avoid that its a really nice benefit of going straight to Azure instead of staying on ADFS. ( Sorry had to slip that in there)

    I think overall staying on ADFS is fine if it meets your needs and adding additional relying parties only becomes a major burden when you reach a number that becomes a real burden during upgrades. how long will Microsoft support ADFS? Cant tell you but you have to figure at some point they won't, just like the old on-premises MFA server. That's a real risk in my opinion.

    2 people found this answer helpful.
    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Andy David - MVP 141.2K Reputation points MVP
    2022-09-07T18:59:43.837+00:00

    Well, every time you add a relying party it adds more "complexity" - ADFS is in of itself additional legacy complexity.
    I would argue that if you have a presence in Azure, you should adding any new federation with new services there and not in ADFS.

    The goal should be to move off of ADFS and into a managed Azure auth architecture and not adding more relying parties to ADFS. :)

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/migrate-from-federation-to-cloud-authentication

    0 comments No comments

  2. iconoclast88 61 Reputation points
    2022-09-07T20:51:51.337+00:00

    I guess your reply is more of a philosophical one, or maybe more accurately a Microsoft azure monolithic view. I do understand that opinion. I do understand Microsoft wants everyone to move in that direction and to see any on-prem or third-party activity as legacy, however that's not practical nor realistic.

    Thanks for your input, but If we need ADFS for 365 sso authentication for our on-premise users, but also have a need for another 3rd-party authentication piece, the original question still stands.

    0 comments No comments

  3. iconoclast88 61 Reputation points
    2022-09-09T13:46:34.827+00:00

    Appreciate the follow-up.

    Our business utilizes on-premise datacenter resources that we don't want in Azure, so moving all those workloads to Azure isn't a priority. Also, Microsoft MFA kind of sucks. There are third party vendors that do it better that are more flexible with other third party products.

    Again if you are pure microsoft house, using web apps, then sure. if you have business apps that require applications that aren't web-based, then what you are suggesting is thousands of miles away.

    Could you elaborate on using 365 authentication on our on-premise AD accounts? or is that not what you're referring to?

    0 comments No comments