ADFS and BYOD in azure

Hello ,
We are in the process of moving all servers into azure , and deploying BYOD infrastructure hence no need for clients machine to be joined to the domain “obviously”
My question is , if my clients are non-domain joined ? why do I need to deploy ADFS in azure at all ? since no on premise servers anyways 

Avoiding Federation Now That Password Hash Sync Is Available
A key driver for federation deployments with ADFS used to be that it enables users to use a single password across on-premises and cloud sessions. However, federation deployments take some effort due to the additional servers and network implementation.
The on-premises servers also have to be Internet accessible through any corporate firewalls in a secure way, and they also have to be highly available since logins are not possible if they or their Internet connectivity are offline. Because password hash sync
is a feature of directory synchronization, it is initiated from the on-premises server and doesn’t incur many of the infrastructure requirements and costs of federation. It only requires a single server and whilst that server requires outgoing access to the
Internet in order to connect to Azure AD there is no requirement for inbound connections, custom firewall openings or highly available configurations.
There are still some reasons why some customers will still prefer ADFS and directory federation over DirSync and password hash synchronization. These include:
ADFS can be configured such that users who are already logged on to a domain joined and connected machine do not require any password re-entry to sign in at Office 365. This gives you true single sign-on since re-entry of the password is not required. With
DirSync and password hash synchronization a user must still re-enter their password, although it will be the same password as they use on-premises.
ADFS allows for client access filtering, which restricts access to Exchange Online to users based on their IP address.
ADFS will honor Active Directory configured login time restrictions for users.
ADFS can include web pages for users to change their passwords while they are outside the corporate network.
With ADFS the authentication decision is always made on-premises and no password hashes are synchronized to the cloud. This may be obvious but can be sometimes a security policy requirement.
With ADFS an administrator can immediate block a user to remove access where-as DirSync synchronizes these changes every three hours. Only password changes are synchronized by DirSync every two minutes.
ADFS permits use of on-premises deployed multi-factor authentication products. Note that Azure AD supports multi-factor authentication but many third party multi-factor authentication products require on-premises integration.
Where Microsoft Forefront Identity Manger (FIM) is required for some other FIM capability. FIM directory synchronization does not include password hash synchronization so ADFS will still be required for SSO login.
Some on-premises to cloud hybrid scenarios require ADFS such as hybrid search.
If you need any of these then Active Directory Federation Services is still the best option.

Similar Messages

  • How to expose ADFS externally in an Azure VM

    I have installed AD DS & AD FS on a virtual machine in Azure. I am trying to configure it as an Identity Provider in ACS. If I import the FederationMetadata from the ADFS site, it points to the local DNS that is only accessible from the VM. I need to
    expose it externally. How do I do that? This is where the xml file is at https://<server>.<localdns>/FederationMetadata/2007-06/FederationMetadata.xml. 
    I have tried multiple things to no success. I added the HTTP (80) & HTTPS (443) endpoint on my AD FS vm. And then tried accessing it via the https://xxx.cloudapp.net/FederationMetadata/2007-06/FederationMetadata.xml public DNS but that didnt work. I
    also tried creating two additional VMs as load balanced Web Application Proxy servers & enabled Remote Access for them but I am not entirerly sure how that works. 
    When I try to connect to this IdP via an ACS connected app, it obviously fails being that the local dns is not accessible outside the vm. How do I set this up correctly?
    Arif

    Hi Arif,
    >>I am trying to configure it as an Identity Provider in ACS.
    Is there bidirectional trust relationship between ACS and ADFS? A bidirectional trust allows ACS project to process incoming tokens from Active Directory and allows AD to issue tokens for use against ACS.
    Regarding ADFS and ACS, the following article can be referred to for more information.
    Windows Authentication, ADFS and the Access Control Service
    http://blogs.msdn.com/b/willpe/archive/2010/10/25/windows-authentication-adfs-and-the-access-control-service.aspx
    Regarding federated identity with Azure ACS, the following article can be referred to for more information.
    Federated Identity with Microsoft Azure Access Control Service
    https://msdn.microsoft.com/en-us/library/hh446535.aspx
    In addition, we can also ask for suggestions in the following forum.
    Claims based access platform (CBA), code-named Gevena
    https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • ADFS and ACS connection is flakey at best

    I have my Azure subscriptions ACS configured to work with my companies Federation server. It is setup and working but only about 20 percent of the time. The following is some of the things I have noticed. I get the login screen press the button and I am
    logged in to my app with no problems. I close the browser and try again and I get an error stating that I have an untrusted root cert in the cert chain. The error is only visible in the network tools in Firefox. The SSO sign in page just redisplay. I wait
    ~5 minutes and try again and can successfully authenticate again. Most of the time once it fails I have to go into ACS manager and save something (not making any changes) and it starts working again. I have also noticed that when I publish a new build to the
    relevant Azure website, the authentication as previously described will not work for about 5 to 10 minutes. That does not always happen but enough to mention. My company has a production federation server and test federation server setup. I have my local development
    environment pointing to the an ACS dev instance pointing back to my localhost and my companies ADFS test instance. The previous works with out fail every time. Only when I am going from my client to ACS to our Federation server and back to Azure does the "flakeyness"
    occur.

    Thank you very much for the reply.
    the error (the same error in Chrome and Firefox){"context":"rm=0&id=passive&ru=%2fHome%2fSAMLError","httpReturnCode":401,"identityProvider":null,"timeStamp":"2015-01-07 21:26:27Z","traceId":"1e0aa0f0-813e-41de-b169-5e268304ec88","errors":[{"errorCode":"ACS20001","errorMessage":"An
    error occurred while processing a WS-Federation sign-in response."},{"errorCode":"ACS50008","errorMessage":"SAML token is invalid."},{"errorCode":"ACS50017","errorMessage":"Certificate
    validation failed for certificate \u0027CN=Battelle IdP Token Signing\u0027 issued by \u0027CN=Battelle SubCA 1, DC=REMOVEDTHISONPURPOSE, DC=battelle, DC=org\u0027. StatusInformation: \u0027A certificate chain processed, but terminated
    in a root certificate which is not trusted by the trust provider.\r\n\u0027. X509ChainStatusFlags: \u0027UntrustedRoot\u0027."}]}
    The issue occurs in FF (34.0.5), Chrome (39.0.2171.95) and IE 10
    Gonna give OpenSSL verify a go thanks for the suggestion!
    Lacy

  • ADF and 100 tables

    Hi
    I'm new in ADF technology so I suppose my question is very simple.
    How can I create ComboBox witch have a fields with all tables in databes??
    I don't wont write manually, but I want that my application read all tables from database (JDBC connected)!!
    Then if I choose one of them the NavigationBar will be for selected table..
    If something is not clear pleas ask me, because my english is not very good :/
    Thank you for help.

    Shay:
    Could you give me more details or links where this is explained??
    Sorry but I'm new in ADF and Swing technology..
    Frank:
    I want to modify, add and erase rows in tables which someone select that table in ComboBox..
    For example I want to do something like this:
    http://www.oracle.com/technology/products/jdev/viewlets/1013/ADF_Swing_viewlet_swf.html
    but in ComboBox I must selected tables with my database!!

  • ERRORS in the Lab - Developer Day: Oracle ADF and Fusion Middleware Dev

    I atteneded the Developer Day on Oracler ADF and Fusion Middleware Development on 11/19. I did the lab (following step by step instructions) and encountered the following errors:
    1) Export to Excel (Step 4, actions 5-9) - Got run-time 500 error when run app. I had to skip these steps to be able to continue with the lab.
    2) Click on Printable Page (Step 4, action 16) - I looks like it works, but nothing shown up on the browser or printing actually happened.
    3) Click on Create Insert (Step 4, action 26) - Got Java.Lang.NumberFormatException
    4) There is no lab for mobile application development. Where should I start? [getting mobile plug-in software, lab tutorials]
    The instructor said that I could post any questions on the Forum. I hope that this is the correct Forum to post these types of questions. Thanks much in advance for your responses.
    Thoai

    Perfect, I get the exact same page when I login, however, this page doesn't have any links to the actual sessions.  If I remember correctly, after logging in another window used to open in which we could select the session to play.
    Please let me know how I can access the session from the page that is displayed after logging in.  Thank you for taking time to check, appreciate your help.

  • Oracle ADF and Oracle Applications

    Hi All,
    Can we use Oracle ADF with current version of Oracle E-business suite (R11i 2 in my case)? Or we need to use only OAF and ADF can be used only for future release of Oracle ERP?
    It will be great if someone can list the benefits of OAF over ADF for Oracle EBS 11i 2. I want to convince the customer that ADF is not safe or not a good platform for the customizations in current release (R11i 2) and even for next immediate version (R12).
    Thanks in advance,
    CAH

    Hi,
    I don't think ADF can be used with Apps 11i,it can be user in R12(this is my understanding), if you want to run ADF pages from Apps then these pages should be located on External server and you can access this as an External Application.
    As far as customization is concrened, it can't be done using ADF only new Applications be developed in ADF and if you are planning to develop some custom application in Apps then ADf will be a good choice as migration to 11g will be easier(but it will not support Apps specific features like KFF, DFF, Attachments etc.)
    Please check Metalink Note 563047.1 on metalink for this and you can check some articles on this www.apps2fusion.com and Mukul's Blog.
    I hope you will get some clear picture on this.
    Regards,
    Reetesh Sharma

  • Oracle ADF and OAS licencing

    Hi all,
    I have been doing a research on JSF component, ADF and ADF Faces for our project. I have found some intresting things that
    ADF faces(donated to Apache by Oracle) is free but it is only for front end (not complete) as of ADF.
    ADF is more promising and good frame work. ADF is free to be deployed on OAS. but i am unable to find pricing for Oracle Application Server is it free ?.. and what is the price for Deploying ADF on Tomcat or other Open source Servers...?.Can i get this information I need it urgently. Thanks..

    Hi,
    the Oracle AS licence depends on the edition you want to use. I suggest to get in touch with a local sales office to get the pricing information.
    ADF Faces / ADF deployed to 3rd party servers has a licence cost of 5k USD per CPU (at least this is my latest information. So you better check this too)
    Frank

  • Oracle ADF and ECM workflow

    Hi,
    I'm looking for ideas on how to implement this which will involve using Oracle ADF and ECM Workflow.
    1. Oracle ADF App that will check-in an item into ECM.
    2. Using Oracle ECM workflow, an email is sent to the manager that a item has been checked in and is ready for review. The manager access the ADF app , clicks on a "Awaiting approval" and reviews the doc(in an iframe), makes comments(if possible) and then approves it in which case it is published or rejects it in which case it sent back to the employee.
    3. I found a similar posting to this Re: Custom pages at each workflow step in UCM
    Thoughts, ideas?
    Thanks.

    Everything, from checking in, to get a list of approvals, is available by services. You can call the service from an ADF and use the result of that service as a dataset to use in a table. In the administration menu, there are WSDL descriptors for each part for example the check in service, the search service, the workflow service,...

  • Best Practices for BI, ADF and Oracle Forms installations on Weblogic

    Hi, I'm researching options on upgrading to Oracle 11g Middleware. My company currently has Oracle Forms 10g running on Oracle Application Server.
    We are interested in using Oracle Forms 11g, ADF and Jdeveloper, and Business Intelligence with Oracle's Weblogic 10.3.5.
    Is there any whitepapers or documentation on best practices for installing alll of these components together?
    For instance, can ADF ( with JSF 2.x ) be installed in the same domain as Oracle Forms 11g but use different managed servers?
    Will Business Intelligence need to be in a seperate Oracle Home with it's own weblogic installation? I spend a lot of time trying to get the JSF upgraded to 2.x in the Business Intelligence installation and could not get it to work.
    I know it's a pretty broad question but thank you for any direction on this.

    Thanx for the reply! I read through the documents and they are very good at explaining how to install the different components individually. I still can't find much on installing them together. I hope it's not just going to be a trial and error thing.
    So far I've installed done the following successfully:
    Installed 10.3.5 weblogic
    Forms and Reports 11g on top of 10.3.5
    I've created an additional managed server for our ADF applications.
    My next step is upgrading the JSF to 2.x. I would have to stage patches 12917525 and 12979653. I'm afraid it will break the forms and reports though. Any ideas?

  • Hi, im a beginner in ADF and JDeveloper. Can anyone suggest me any video links for learning Oracle ADF?

    Hi, im a beginner in ADF and JDeveloper. Can anyone suggest me any video links for learning Oracle ADF?
    Thanks,
    Vijay

    Refer the below link as a starting point.
    https://blogs.oracle.com/shay/entry/how_do_i_start_learning_oracle_adf_and_jdeveloper
    http://sameh-nassar.blogspot.com.au/2010/04/main-references-to-learn-oracle-adf.html
    Cheers
    AJ

  • ADF and WebCenter 11g libraries upgrade paths for WLS 12.1.3

    We want to upgrade one of our WLS from 10.3.6 to 12.1.3.
    (1) The application hosted on this instance uses the following ADF and WebCenter libraries (also deployed on the same WLS). Please confirm if these can be deployed in WLS12c without any changes or if we need to check on an upgrade path to ADF or Webcenter 12c components as well:
    adf.oracle.businesseditor(1.0,11.1.1.2.0)
    adf.oracle.domain(1.0,11.1.1.2.0)
    adf.oracle.domain.webapp(1.0,11.1.1.2.0)
    oracle.adf.dconfigbeans(1.0,11.1.1.2.0)
    oracle.adf.desktopintegration(1.0,11.1.1.2.0)
    oracle.adf.desktopintegration.model(1.0,11.1.1.2.0)
    oracle.adf.management(1.0,11.1.1.2.0)
    oracle.bi.adf.model.slib(1.0,11.1.1.2.0)
    oracle.bi.adf.view.slib(1.0,11.1.1.2.0)
    oracle.bi.adf.webcenter.slib(1.0,11.1.1.2.0)
    oracle.bi.composer(11.1.1,0.1)
    oracle.bi.jbips(11.1.1,0.1)
    oracle.bpm.mgmt(11.1.1,11.1.1)
    oracle.webcenter.composer(11.1.1,11.1.1)
    oracle.webcenter.skin(11.1.1,11.1.1)
    oracle.wsm.seedpolicies(11.1.1,11.1.1)
    orai18n-adf(11,11.1.1.1.0)
    (There are other libraries too but not anything related to ADF or Webcenter)
    (2) We also have EM extension template in WLS 10.3.6. How can we upgrade this? Do we need to delete this and install FMW infra 12c with the additional DB schema and then try to extend the 12c domain?

    Moved your thread to the WLS Communities since you are not asking if products are certified.
    Thanks,
    Lisa Fedynich

  • What's listening on port 454 and 455 in Azure? Warning flagged by security scan

    We are about to go live with an Azure Website and, as a precaution, did a security scan on the IP address that has been allocated to us.
    There were a number of low severity warnings listed which we're not too worried about, however the scan did flag that something appears to be listening on port 454 and 455, and supports TLS1.0.
    RESULTS:
    Available non CBC cipher Server's choice SSL version
    RC4-SHA DES-CBC3-SHA TLSv1
    Does anyone know what this is? I can't find it obviously listed anywhere. If it's not necessary, can I switch it off? And if it is necessary, can I set it to require a more secure protocol?
    We're hosted in the "Australia East" datacentre, in case that's relevant.
    Crossposted to Stack Overflow here:
    http://stackoverflow.com/questions/27807505/whats-listening-on-port-454-and-455-in-azure-warning-flagged-by-security-scan

    Hello Michael,
    These ports are used for internal communication in Azure Websites infrastructure. They are not site specific and you cannot turn them off. It is safe to ignore them.
    Thanks,
    Petr

  • ADF And/Or JSF : A Shift to Future

    Hi All,
    I am using Oracle Forms since 1996 and worked in different versions of it. Now there is a move away from Forms to J2EE based solutions like ADF/JSF to name a few. Even Steve is writing a book for Oracle ADF Development for Forms Developers. I have few questions in mind, that
    1. What is the best way of learning these technologies means following the book Steve / Grant is writing will help us.
    2. One must know ADF before he could learn JSF, Is it a prerequisite ?
    3. For a Forms Developer what is a right tool (ADF/JSF) which is closed to form concepts he knows so that the shift could be easy and smooth and after that he can learn more.
    Thanks In Advance

    You got is a little mixed up - JSF is one technology that the ADF framework uses.
    So it is not two options - it is one option.
    A great way to start learning development using JDeveloper ADF and JSF is visiting the special center we built for people just like you - Forms developer who want to move to Java.
    http://www.oracle.com/technology/formsdesignerj2ee
    Try for example the hands-on scripts there.
    Then you can continue with the rest of the resource on the JDeveloper home page on OTN.

  • ADFS and ADFS proxy on 2012 and secondary on 2008 R2 is that ok

    I want to build my ADFS, ADFS Proxy for hybrid setup with exchange 2010 SP3
    I will have primary ADFS and ADFS proxy on 2012 servers and the secondary will be on 2008 R2
    as per my knowledge this should work but I want to confirm
    forest and domain functional level is 2008
    dcs are 2003 2008 and 2012
    thank you

    Hi,
    you cant mix the ADFS versions. Functional level is okay.
    You can see this also from Microsofts proposed migration strategy creating a new 2012 R2 Server with ADFS http://technet.microsoft.com/en-us/library/dn486787.aspx#BKMK_b
    Regards,
    Lutz

  • Jdeveloper, adf and xmp

    Dear sirs, i belong to a company that have one ERP, developed using oracle forms.
    We are in the process of remake it using JDEV ,ADF, and ADF_BC.
    I have a real need, ours ERP costumers have the need to change a lot of the aplications reports, including data fields, well personalize it , etc.
    We are thinking of using the XMLP and the JDEV and doing the reporting of ERP by XMLP. My question is can i do the reports (basic ones) combining both technologies, to allow later my costumers to be able to change (if they need) the layout of the reports using XMLP Desktop or any other very basic (easy) technologie).
    Well Thanks in advance.
    Paulo J. Costa

    Paulo,
    of course you can do using the Java APIs of XML Publisher. Furthermore there are plans to make XML Publisher the reporting framework for ADF.
    Juergen

Maybe you are looking for

  • Database design question about historical data in a group of tables

    Hi Folks, I have a group of tables having relationships among them. In order to keep the change history, we can not update the data, instead, we add new data to the table(s) and mark older data as whatever non-current status. They all have timestamps

  • Iweb showing unknown error when trying to publish

    I haven't updated my website in the last couple of months...I've been waiting for all of the kinks to be smoothed out with the new moibleme. Now when I go to publish iweb 'prepares to publish' and then gives me a message "Publish error- an unknown er

  • Files being changed

    I have a new site created without an editor that needs to be similar to other sites on the same server. When I get a file for editing, Dreamweaver adds a bunch of stuff, deletes quotes and essentially trashes my site. It moved some things from the he

  • Is it possible to increase user exit time out for a partcular user

    Dear Sir/madam, Is it possible to increase the User Time Out for a Particular user ? We do it through RZ10 and as per I know when it is changed, it is effected to all the users. Pls advice. Thanks, Pranab

  • Two different profit center generated after material movement 201

    Hi there: Here is my issue: After I did movement 201,then I went to mb03 to look at material document, then I click accounting document found that there are two different profit center appeared in two items, first line item is that credit inventory a