SSL Communication Certificate for ADFS (1 farm, 3 datacenter with GEO-DNS)

Copper Contributor

Hi,

 

I'm working to build AD FS farm for a customer, and i'm wondering about the Communication SSL certificat design. 

 

Before pushing my question let me explain the business context:

 

Due to the business constraints customer need to have high availability of AD FS  platform. By high availability I mean that he want to be sure that authentication will be possible event if a brake of the transatlantic link occurred on his WAN.

Other constraint is that the client do not use Cloud solution and only on premise infra, SSO will be used for "internal usage only", and may be later for external access.

 

Below is Infrastructure envisaged:

  • Farm design:

- A single Farm split in three Datacenter ( Europ/America/Asia),

- A couple of AD FS server with primary server will be in EMEA

- 2 servers will be in each of other region.

- An NLB will be set for each couple of AD FS servers.

 

  • GEO DNS defined on On premise DNS servers, with :

- 3 records for each NLB set in front of AD FS servers in each region ( eu_sso.domain.com ; us_sso.domain.com ; as_so.domaine.com).

- A global CNAME record for the AD FS Farm :  sso.domain.com

- A DNS policy to redirect queries of client to the region ADFS servers

 

Complementary, customer have an internal PKI deployed and usable for encryption and SSL topic.

And as it's for internal need no AD FS proxy will be deployed in perimeter network.

 

Now you have a full picture here are my questions:

  1. SSL certificate used to encrypt communication between Client and ADFS is required, Could I use internal PKI in place to publish it and manage SSL communication ?
    From my understanding it possible but what will be the advantage/disadvantage of it?
  2. I now that SSL communication certificate will have to contain :
    Subject : CN=SSO.domain.com (FQDN of ADFS farm)
    SAN: https://SSO.domain.com
    SAN: https://certauth.SSO.domain.com
    SAN: https://enterpriseregistration.domain.com
    SAN: DNS "enterpriseregistration.domain.com"
    SAN: DNS "certauth.SSO.domain.com"
    => Do I need to add SAN of my different DNS record used in my GEO DNS ?
    https://eu_sso.domain.com
    https://us_sso.domain.com
    https://as_sso.domain.com
    https://certauth.eu-sso.domain.com
    https://certauth.as_sso.domain.com
    https://certauth.as-sso.domain.com


Thank you for you feed back on this and all answer that you can provide.

 

0 Replies