How would I go about federating two AD / DNS environments? Say I have abc.domain.com and xyz.domain.com - both Nethserver domains. Any way to federate them? Does federation via RSAT work (domains and trusts)?
Thanks!
I never tried to achieve this! By now NSDC works as a standalone DC. There is a wiki page that explains how to join a DC to an existing domain
Do you have any pointer to Samba AD and inter-domain trust?
1 Like
Neat! I may attempt to do this in a lab. If so I’ll report back with what I find.
I have not yet attempted to join a second nsdc to the domain as a secondary DC. I intend to though! I expect it will work without issue.
I’m sorry. I’m not sure what you mean here (which probably means I do not have it!). Would you mind elaborating?
I’m not sure I understood your question, and what do you mean by “federating” two AD.
Domains in AD can reciprocally trust each other, but I never encountered this scenario with NethServer.
Thank you for the pointer! Can you describe the problem you want to solve? As far as I can understand…
ADFS (Active Directory Federation Services) is an SSO (Single Sign On) solution from Microsoft. It speaks several federated authentication protocols, such as WS-Federation and SAML.
What do you want to achieve with it?
I think @FMFREAK could give some extra info about introducing SAML. He has implemented a SAML based portal for several services for the secondary school he is working for,
3 Likes
We drive the SAML way. I think we better should use a SimpleSAMLphp server than ADFS. We have a setup to connect Google G suite for education, Office365, our timetable software and portal (Drupal) login.
Because our core directory service is an AD server, we connect our SimpleSAMLphp with LDAP with our AD. We could choose ADFS but SAML is the open source standard. It’s easier to get Open Source products to work with SAML than ADFS.
So, get a look at SimpleSAMLphp, try that and share your experiences…
3 Likes
The end goal is to manage multiple AD/DNS domains from the same console / RSAT window.
For instance:
domain.example.internal ----+---- someDomain.example.internal
|
Federated AD Domains
|
someAdminUser
Where both domains are separate AD domains which have been federated via the Active Directory Federation Services snap-in AND where someAdminUser is a Domain Admin for domain.example.internal whose prviliges extend to someDomain.example.internal.
This is certainly not a “standard” use-case. It is a more advanced deployment of Active Directory, however; I consider this a necessary feature for a full MS Active Directory replacement.
Just curious if it’s possible yet or not. I still haven’t had the time to test this in my lab (but I intend to!).
2 Likes
@FMFREAK this all looks complex and fun.
looking at the users currently on Nethserver, and the online services we need to authenticate them to. how can SAML be managed within Nethserver to authenticate other SAML based services on the web?