Let’s paint a picture, you have an unique requirement to build multiple ADFS farms. you have a fully functional hybrid environment with EXO. you do not want to modify AAD connect and existing ADFS servers. But you want several SaaS applications use different ADFS farm with MFA but their identity is managed by the same Active Directory forest used by existing ADFS farm.
Here is the existing infrastructure:
- 1 single forest with multiple hybrid UPNs (domainA.com, domainB.com, domainC.com and many…)
- 2x ADFS servers (sts1.domainA.com)
- 2X WAP 2012 R2 cluster
- 1x AAD Connect
- 1X Office 365 Tenant with several federated domains (domainA.com, domainB.com, domainC.com and many….)
- 1x public CNAME sts1.domainA.com
Above configuration is working perfectly.
Now you would like to build a separate ADFS 2016 farm with WAP 2016 cluster for SaaS applications. This ADFS 2016 farm will be dedicated to authenticate these SaaS applications. you would also like to turn on MFA on ADFS 2016. Add new public authentication endpoint such as sts2.domainA.com for ADFS 2016 farm.
End goal is that once user hit https://tenant.SaaSApp.com/ it will redirect them to sts2.domain.com and prompt for on-prem AD credentials and MFA if they are accessing from public network.
New ADFS 2016 infrastructure in the same forest and domain:
- 2X ADFS 2016 Servers (sts2.domainA.com)
- 2X WAP 2016 Servers
- 1 X separate public IP for sts2.domainA.com
- 1X public CNAME for sts2.domainA.com
- 1X Private CNAME for sts2.domainA.com
Important Note: You have to prepare Active Directory schema to use ADFS 2016 functional level. No action/tasks necessary in existing ADFS 2012 R2 environment.
Guidelines and referrals to build new environment.
Upgrading AD FS to Windows Server 2016 FBL
ADFS 4.0 Step by Step Guide: Federating with Workday
Branding and Customizing the ADFS Sign-in Pages
Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I
Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II