Skip to content

Multiple AAD as RPs with Single AD FS?

May 23, 2014

In my last post I discussed how we can configure multiple Azure AD tenants as Identity Providers with the same AD FS instance.

This time I decided to reverse the situation and see if we can configure multiple Azure AD (AAD) tenants as relying party with the same AD FS instance, so the AD FS acts as an Identity Provider and allow Single Sign On experience into the Cloud based applications hosted by different AAD tenants. The desired configuration is shown in the following diagram.

image

The process to enable SSO into Azure AD tenant via on-premises AD FS is well documented and I’m not going to get into all the details, at the high level it is fairly simple and straightforward:

  1. You need to configure custom domain in your AAD tenant.
  2. You run couple PowerShell commands from your AD FS server. The first one will connect to the specified AAD tenant. The second will convert target custom domain for SSO and it will configure AD FS to act as Identity Provider against AAD.
  3. You’d also need to have some type of solution that synchronizes accounts from on-premises ADDS to the AAD Tenant, like a DirSync.

So I did this on my first AAD tenant and was able to SSO into it by using credentials from on-premises ADDS.

Then time came to configure second AAD tenant for SSO, and unfortunately it did not work for me. The PowerShell conversion complained about AD FS Identifier being already in use. I was hoping for a bit more granularity, and be able to configure each AAD as its own Relying Party with the same AD FS, but not the case. Maybe there will be something there in the future that would allow us to do this.

Until we have some workaround and maybe there is one out there already, please share if you know, there has to be one-one relationship between AD FS IdP and AAD RP, like this:

image

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: