No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

SSO for Multiple domains

This question is answered This question is answered

Hello,

 

I'm curious.  We have one domain with SSO enabled, but we have another domain underneath the same Office365 account currently set up to do direct logins to microsoft.  Can we not configure this second domain to access SSO via a second/different ADFS server in the other domain?

 

Thanks

Verified Answer
  • Hi Shuhai00,

    Thanks for your update.
    No, if they are not in the same forest, configuring multiple domains for SSO is not supported and unavailable in Office 365.
    If you still want to configure each ADFS server for each domain, used for the different Test and Production environment, you have to use two Office 365 Enterprise subscriptions and configure SSO on each tenant for each domain.

    Thanks,
    Grace Shi

All Replies
  • Hi Shuhari00,

    Thanks for posting here.
    Yes, configure multiple domains for SSO is available in Office 365 if these domains are in a same domain forest.
    Before goes ahead, I would like to confirm you would like to configure each ADFS server for each domain or configure ADFS farm for those multiple domains.  Would you please provide more detailed information about your requirement here, therefore we can help further?

    Thanks,
    Grace Shi

  • Hi Shuhari00,

    Just check in to see if the information provided is useful for you.
    If you need addition assistance, please feel free to post in the forum. We will be more than happy to be of help.

    Thanks,
    Grace Shi

  • Is there any way to do this, if both domains are Not in the same forest?

    I ask because I would like to test up a Test environment, but part of the requirements for doing so is that the Test and Production environments are kept apart in nearly every way.

  • Hi Shuhai00,

    Thanks for your update.
    No, if they are not in the same forest, configuring multiple domains for SSO is not supported and unavailable in Office 365.
    If you still want to configure each ADFS server for each domain, used for the different Test and Production environment, you have to use two Office 365 Enterprise subscriptions and configure SSO on each tenant for each domain.

    Thanks,
    Grace Shi

  • I think they mistook your question. If the different domains are in different forests (assuming the second isn't a subdomain of the first), then the ADFS servers are completely separate. i.e.:

    - domain1.com is your primary domain and is connected to an ADFS server in forest 1

    - domain2.com is your test domain and is connected to an ADFS server in forest 2

    This should work beautifully if you have two different O365 tenants.

    On the other hand, you CAN get multiple ADFS servers to provide authentication for different domains (this is what was required prior to the update in December that allowed a single server to support multiple domains (even subdomains) within the same tenant (which is what I am assuming you are attempting to do).  The only think you have to make sure happens is that you can route to the different ADFS servers properly.  i.e.

    - user@domain1.com (real user) access OWA.  Domain1.com routes to ADFS1 (real ADFS) because of DNS records put in place to identify it and provide the route.  user@domain1.com is authenticated and everything works great.

    - user@sub.domain1.com (test user) access OWA.  sub.domain1.com routes to ADFS2 (test ADFS) because you have created a subdomain, recognizable in DNS as a separate domain.  user@sub.domain1.com is then authenticated.

    The key here is to make sure the domain being logged into routes to the proper server.  

    A couple caveats to consider:

    - If the users are in different forests, DirSync (required for ADFS) will not be able to pick up the object and bring it into O365, so the object needs to be created manually (this will change once multi-forest DirSync is available ... sometime).

    - The UPN used in O365 has to match either the UPN of the on-premises object or an SMTP address of the on-premises object.

    Have a great day,

    Dan

  • Hmmm, so now I'm a little confused.

    I have domain1.com which is sync'ed using DIRSync and uses ADFS for authentication.

    I also have domain2.com which is Not currently syned, nor does it use ADFS for authentication.

    Domain2.com I would like to have a seperate DirSync (if possible) and seperate ADFS.  Domain1 and domain2 are Not connected in any meaningful way in Active Directory (no forests, no trusts, etc).

    When I logon to portal.microsoftonline.com with my admin account, I am able to admin both of these domains.  I believe this means two tenants?

    What my end goal is, is to have a test environment that is entirely seperate from our production environment.  Given our licenses come from an EA, we have some extra inside our existing (where domain1 and domain2 reside) office 365 subscription.  I would like to test various failover and disaster recovery scenarios on the test environment, hence the requirement for seperate ADFS.

    If I read your response correctly, what I am trying to accomplish is possible (even if dirsync wont work, manual for that is fine)?

  • Hi Shuhari00,

    I would like to answer the questions.

    Q1: When I logon to portal.microsoftonline.com with my admin account, I am able to admin both of these domains.  I believe this means two tenants?

    A1: No, if you can see both of the domains, then it's one tenant.

    Q2: If I read your response correctly, what I am trying to accomplish is possible (even if dirsync wont work, manual for that is fine)?

    A2: Unfortunately, it's impossible.

    Best regards,

    Alex Du