ADFS with a one-way trust
Posted by BPuhl on May 9, 2008
One of the nice parts about ADFS, is it’s ability to work throughout your trust realm. Within MS IT, we have a single ADFS instance joined to our REDMOND domain in our main internal forest. However, we have 7 production forests, with a total of 17 production domains.
Fortunately, the requirements for ADFS are fairly simple and intuitive:
- The user has to be able to authenticate to an ADFS server
- The ADFS server needs to have the ability to query the users domain, to read attributes to put into the users token.
Thinking about it like this, then it’s easy to see that with a full mesh of 2-way trusts between the forests, a single ADFS instance will work for users, regardless of which domain their account resides in.