Implications of using AD FS 2.0 to implement single sign-on in Office 365

This article provides an overview of various Active Directory Federation Services (AD FS) 2.0 scenarios and their implications for single sign-on (SSO) in Office 365 and for Office 365 Support.

As with most enterprise-level services, the AD FS 2.0 Federation Service (leveraged for SSO) can be implemented in many ways, depending on business needs. The following AD FS 2.0 scenarios focus on how the on-premises AD FS 2.0 Federation Service is published to the Internet. This is a very specific aspect of AD FS 2.0 implementation. 

Scenario 1: Fully implemented AD FS 2.0

Description

An AD FS 2.0 Federation server farm services Active Directory client requests through SSO authentication. An AD FS 2.0 (load balanced) Federation server proxy exposes those core authentication services to the Internet by relaying requests and responses back and forth between Internet clients and the internal AD FS 2.0 environment. 

Recommendations

This scenario helps provide the most secure exposure of Active Directory credentials to Internet clients. Therefore, it's a Microsoft best practice to implement this scenario. 

Support assumptions

There are no support assumptions for this scenario. This scenario is supported by Office 365 Support. 

Scenario 2: Firewall-published AD FS 2.0

Description

An AD FS 2.0 Federation server farm services Active Directory client requests through SSO authentication. A Microsoft Internet Security and Acceleration (ISA) / Microsoft Forefront Threat Management Gateway (TMG) server (or server farm) exposes those core authentication services to the Internet by reverse proxy. 

Limitations

Extended Authentication Protection must be disabled on the AD FS 2.0 Federation server farm for this to work. This weakens the security profile of the system. For security considerations, we recommend that you do not do this. 

Support assumptions

It's assumed that the ISA/TMG firewall and reverse proxy rule are implemented correctly and are functional. For Office 365 Support to support this scenario, the following conditions must be true:  

• The reverse proxy of HTTPS (port 443) traffic between the Internet client and the AD FS 2.0 server must be transparent.
• The AD FS 2.0 server must receive a faithful copy of SAML requests from the Internet client.
• Internet clients must receive faithful copies of SAML responses as if the clients were directly attached to the on-premises AD FS 2.0 server. 

For information about common problems that can cause this configuration to fail, see the following resources:

• The following Microsoft Knowledge Base article
  2535789

  (http://support.microsoft.com/kb/2535789/ )

   Internet-based client computers can't authenticate after you set up Active Directory Federation Services (AD FS) in a "firewall-published" configuration
• The following Microsoft TechNet article:
  Using a Third-Party Proxy as a Replacement to an AD FS 2.0 Federation Server Proxy

  (http://technet.microsoft.com/en-us/library/hh852618(v=ws.10).aspx)

Scenario 3: Non-published AD FS 2.0

Description

An AD FS 2.0 Federation server farm services Active Directory client requests through SSO authentication, and the server farm isn't exposed to the Internet by any method. 

Limitations

Internet clients (including mobile devices) can't use Office 365 resources. For service-level reasons, we recommend that you do not do this. 

Outlook rich clients cannot connect to Exchange Online resources. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Support assumptions

It's assumed that the customer acknowledges by implementation that this setup doesn't provide the fully advertised suite of services that are supported by SSO in Office 365. Under these circumstances, this scenario is supported by Office 365 Support. 

Scenario 4: VPN-published AD FS 2.0

Description

An AD FS 2.0 Federation server (or Federation server farm) services Active Directory client requests through SSO authentication, and the server or server farm isn't exposed to the Internet by any method. Internet clients connect to and use AD FS 2.0 services only through a virtual private network (VPN) connection to the on-premises network environment. 

Limitations

Unless Internet clients (including mobile devices) are VPN-capable, they can't use Office 365 services. For service-level reasons, we recommend that you do not do this. 

Outlook rich clients (including ActiveSync clients) can't connect to Exchange Online resources. For more information, see the following Microsoft Knowledge Base article:Support assumptions

It's assumed that the customer acknowledges by implementation that this setup doesn't provide the fully advertised suite of services that are supported by identity federation in Office 365. 

It's assumed the VPN is implemented correctly and is functional. For this scenario to be supported by Office 365 Support, the following conditions must be true: 

• The client can connect to the AD FS 2.0 system by DNS name through HTTPS (port 443).
• The client can connect to the Office 365 server endpoint by DNS name by using appropriate ports/protocols.
• SSO for VPN/Internet users is possible with this scenario, but it's not supported.

High-availability AD FS 2.0 and Office 365 identity federation

Each scenario can be varied by using a stand-alone AD FS 2.0 Federation server instead of a server farm. However, it's always a Microsoft best-practice recommendation that all critical infrastructure services be implemented by using high-availability technology to avoid loss of access. 

On-premises AD FS 2.0 availability directly affects Office 365 service availability for federated users, and its service level is the responsibility of the Office 365 customer. The Microsoft TechNet library contains extensive guidance on how to plan and deploy AD FS in the on-premises environment. This guidance can help customers reach their target service level for this critical subsystem. For more information, go to the following TechNet website: 

Still need help? Go to the Office 365 Community website.