Load balancing Microsoft ADFS
Microsoft ADFS (Active Directory Federation Services) provides secure SSO (Single Sign-On) and identity federation within an ADFS deployed environment. In its simplest form it can be used to provide authentication against Active Directory for claims-aware applications such as Office 365, Outlook on the web or Sharepoint to name but a few Web SSO.
Using standards-based identity federation allows trust relationships between federated third parties such as partner organisations or applications hosted within cloud environments. Whenever authentication is required across organisational boundaries (between otherwise autonomous security domains) a federation trust can be created Federated Web SSO.
You can deploy Federation Servers within your LAN or leverage the ADFS Proxy role within your DMZ allowing secure deployment alongside your applications. A load balancer can be deployed in front of either Federation Server or Federation Server Proxies providing both scalability and high availability to ADFS deployments.
Example deployment utilizing 2 HA pairs. HA pair 1 is used to load balance the ADFS Proxy’s located in the DMZ, HA pair 2 is used to load balance the ADFS Servers on the internal LAN.
<td”>443Layer 7 TCP Mode
|Protocol||Role||Ports||Load balancing methods|
Offering performance without limitations, the best-value hardware load balancer on the market supports any environment. Licensed for unlimited throughput, bandwidth and features, upgrading is seamless if your requirements change down the line.
Does ADFS only support Microsoft applications?
No. ADFS uses an industry standard approach so can provide authentication services for many claims-aware applications. You can write your own apps and make them claims-aware or choose from some of the popular existing applications that already support it: Salesforce, Dropbox, Slack, VMware Identity Provider, Snowflake, SAP, servicenow, Google Apps.
Can ADFS Federation Proxies replace Microsoft TMG for SSO at the edge?
The ADFS Federation Proxy role is often used as a long term supported semi replacement to the SSO capabilities of TMG which is nearing end of life. With TMG scheduled to go EOL in 2020 ADFS proxies are the only Microsoft service to offer a replacement for the secure edge SSO properties of TMG.