One key aspect of Exchange Online is the SSO experience. With single sign-on, also called identity federation, users can access services in Microsoft Office 365 for enterprises with their existing Active Directory corporate credentials (user name and password). Benefits of a native SSO experience include the reduction of support calls (forgotten passwords), and the means for administrators to manage account policies through their on-premise Active Directory ecosystem.
To get this level of fidelity, however, requires the adoption of Active Directory Federation Services (AD FS 2.0). Without diving into specifics, ADFS provides the means for SSO by securely sharing digital identity and entitlement rights (claims) across security and enterprise boundaries. So in a way, ADFS is your identity interface to the cloud (Office 365). So if your company values SSO as you move your mail to the cloud, ADFS would be needed if you are aiming for Exchange Online.
Though would only one ADFS instance suffice? What if your e-mail is migrated to the cloud and users could not log in? This scenario was front and center in the Microsoft TechEd session “Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure.”
As this session stresses, your integration is with the cloud and is only as good as the availability of your ADFS farm. So in reality, many organizations shifting to Exchange Online would need to consider multiple ADFS farms to provide HA and site resiliency, in tandem with SQL (mirroring). These ADFS farms would also need to be paired with ADFS proxies if there are users connecting from outside the company’s network.
To know exactly how many ADFS instances would be recommended, Microsoft has published an ADFS 2.0 Capacity Planning spreadsheet. So what is counter intuitive in this scenario is many companies envision the reduction of on-premise servers as they move their e-mail services to the cloud. With Exchange Online once the decision has been made that a true SSO experience is a must for production users; pockets of ADFS farms must be planned and provisioned for claims based authentication to work.
For more information, please contact us at firstname.lastname@example.org