Hi All,
I have one customer problem.
They want to use ADFS for Federated SSO but their existing AD infrastructure is really wired.
They have one parent domain as parent.com and under that they have two child domain: child1.parent.com and child2.parent.com. Till now everything looks good. Look like one forest. They want to give SSO privileges to child1.parent.com users only with some privileged users of parent.com domain.
Now, they had acquired three companies and they had their different forests e.g. company1.com, company2.com and company3.com. These domains they have not brought under their main parent domain.
So, now, they have 4 independent forests. As they are starting with SSO service for their users, they want to give SSO privileges to company2.com and company3.com users also.
I have deployed ADFS and configured SSO under one forest but this is something new for me. So I have identified the below approaches:-
1. They should bring all domains under one forest. (That will make my life easy but seems to be a costly affair)
2. Deploy multiple ADFS servers for each forests. (It will create more than one IDP URL for same service e.g. GoogleApps).
3. Implement some custom solution and integrate all the Forests through that and configure ADFS with custom solution. (Need brain stroming and custom development. Increase time and cost)
4. Use forest to forest bidirectional trust and configure only one domain with ADFS. Internally they can authenticate over kerberose. (Seems good option but do not know much about feasibility)
Please provide your experienced valuable suggestions.