Share via

Questions about ADFS and Single Sign On (SSO) with Office 365 for Education

  • Article

 

I had several ADFS and Single Sign On (SSO) questions from a large university in northern California proceeding with Office 365 for Education for faculty, staff and students.

What servers do I need to accommodate single sign on (SSO) aka Federated ID?

The following on premises servers are needed to accommodate SSO with Office 365:

  • ADFS 2.0 Proxy Servers (2 minimum for redundancy)
  • ADFS 2.0 servers (2 minimum for redundancy)
  • DirSync Server

image

Do we require ADFS proxies or can I just deploy an ADFS internal server?

Technically, you can get away with just ADFS servers and no proxy servers for Federated ID, we recommend you deploy ADFS proxies to protect your ADFS servers and to allow for client access restriction capabilities such as denying access to email when off campus or IP filtering.

Can I use TMG or UAG instead of an ADFS proxy server?

Currently, it is slated to be supported however the documentation is still being developed. In some cases, such as IP filtering, an ADFS proxy is still required in conjunction with UAG or TMG     There is some initial documentation here.

Is there an order they need to be installed?

Yes, configure ADFS and federated ID first and then Directory Sync Server. You would think it is the other way however things run better when ADFS is configured prior to Dirsync.

Do I need full blown SQL Server with ADFS?

It depends on how you are going to implement ADFS and the total number of ADFS servers deployed. If you require stretched ADFS this requires full blown SQL to accommodate this scenario or if you require more than 5 ADFS servers WID cannot scale beyond that number of ADFS servers.  See here for the differences between WID and SQL with ADFS or here for topology choices for ADFS.

 

What versions of SQL are supported?

WID, SQL 2008 R2, SQL 2012.

 

How many ADFS servers do I need for Federated ID?

Each ADFS server scale varies depending on load frequency such as will everyone be logging within a 15 minute interval or spread over an hour. This answer can range from 2 ADFS servers for 15,000 users with high availability with high load or many more users depending on your load frequency.

image

See the ADFS sizing calculator here to help narrow it down.

 

Can I enable geo-redundancy with ADFS?

Yes, it is possible to enable this with SQL mirroring/Replication to an alternate datacenter along with geoaware load balancers.

image

What happens if ADFS is unavailable?

ADFS is required to access Office 365 when using Federated ID (SSO). You want to ensure you have redundant ADFS proxies and ADFS servers to reduce any downtime to the cloud.

What type of hardware do I need for ADFS?

Make sure you do not underspec your ADFS servers as it does require some horsepower to run effectively:

Federation Service Server

· Dual Quad Core 2.27GHz (8 cores)

· 16GB RAM

· Gigabit Network

Federation Service Proxy Server

· Quad Core 2.24GHz (4 cores)

· 4GB RAM

· Gigabit Network

Where can I get more information on deploying ADFS?

There is a good ADFS deployment guide here and a O365 ADFS deployment checklist here.

Comments

  • Anonymous
    January 01, 2003
    the first link has been removed and the 2nd deleted

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Hi , we have changed our domain to hosted and updated MX records at ISP side. Now we are planning to go ahead with the AD FS Installation. We are having four servers (entire new setup) - SCCM, SYMANTEC PDC and one for AD FS Farm. My Questions are:

  1. Whether we would require a FS Proxy Server in place to get the SSO enabled to O365. The users here will be using smartphones and public computers to access O365 and the headcount is less than 500. We have already tested the ActiveSync functionality and its working fine on smartfones without a FS Service in place. Could you give me a good idea about this as we are confused on the requirement of Proxy Server?
  2. Do we really need a dedicated server for AD FS Installation? Can i install the AD FS on any existing servers (PDC, SCCM, ANTIVIRUS) ? My customer want me to do all these setup using above four servers :( many thanks, Nivil
  1. As I mentioned above, ADFS Proxy servers are 'optional' to work with Office 365 however we recommend them in order to provide an additional layer of security for your ADFS servers. Think of the proxy role as similar to web proxy servers role. A lot of my customers in higher ed chose not to deploy ADFS proxies since they did not have a perimeter network and deploying just ADFS servers worked fine with Office 365.  Net - ADFS proxies provide more security and client filtering capabilities so we are going to always recommend them as a best practice however whether or not you chose to deploy them is up to you.
  2. Yes, you have to have a dedicated ADFS server where you cannot run other things like domain controller, system center, etc. The good news is you can make these ADFS servers virtual as long as you provide enough processor and RAM like stated above. I have seen customers have login issues because they did not put enough proc and ram on their virtualized ADFS servers.  With 500 users, you should be in good shape however I would still deploy redundant ADFS servers to avoid single point of failure.

  • Anonymous
    January 01, 2003
    Thanks for that image about transactional replication. Is there more documentation available on how to setup the replication for ADFS or is it very basic transactional replication? Thanks,

  • Anonymous
    January 01, 2003
    Ryan, SQL Server 2008 R2 is now supported 2 years later. See here: technet.microsoft.com/.../gg982487(v=ws.10).aspx

  • Anonymous
    October 19, 2011
    What version of Windows server, standard or enterprise, should be installed? I am assuming Windows Server 2008 R2 64bit. And is there any drive configuration requirements?

  • Anonymous
    October 21, 2011
    Dave, Any Windows Server 2008 OS version can work with ADFS 2.0.  64-bit is recommended. See here: support.microsoft.com/.../974408

  • Anonymous
    May 09, 2012
    The comment has been removed

  • Anonymous
    May 23, 2013
    the first link has been removed and the 2nd deleted

  • Anonymous
    July 16, 2013
    "What versions of SQL are supported? WID, SQL 2005 and SQL 2008." I realize this was origiinally posted in 2011. Does this imply that SQL 2008 R2 is NOT supported at this time? Thanks.

  • Anonymous
    July 29, 2013
    Hi Markga. Thanks for that response. Can you provide any further information or any supporting documentation around perforenace from your statement: "I don't see huge performance gains by regionalizing ADFS for SSO as it is essentially a web server that issues SAML tokens. There is value is doing this for redundancy but not peformance necessarily." We have North American data centers with NA and European users.

  • Anonymous
    May 29, 2014
    Pingback from The “Hybrid” SharePoint Online Model | SharePoint Samurai