Microsoft recently release Update-Rollup 1 for ADFS 2.0. Next to some fixes, the update-rollup also brings some very useful and welcome new features for use with Office 365:
- Multiple Issuer Support
Companies that wanted to use multiple UPN’s with single sign-on in Office 365, had to deploy a separate instance of ADFS 2.0 for each suffix. The update will set new claim rules to dynamically generate token issuer IDs based on the user who is trying to login into Office 365 his UPN. As a result, you don’t have to deploy multiple instances anymore.
- Client Access Policy Support
Quite often, during a study or a training of Office 365; customers expressed their concern about the security of their Office 365 infrastructure since the connection endpoint for Office 365 is publicly available on the net. Unfortunately, some of these concerns were correct. However; with this update “Client Access Policies” become available which will allow you to restrict access to your Office 365 environment (through ADFS 2.0) based on a few criteria. Some scenario’s:
- Block all external access to Office 365 (Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.)
- Block all external access to Office 365, except Exchange ActiveSync (Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.)
- Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online (Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.)
- Block all external access to Office 365 for members of designated Active Directory groups [For Testing] (This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.)
- Congestion Avoidance Algorithm
Thanks to this ‘Algorithm’ The ADFS 2.0 Federation proxy will reject external client authentication request if the server is overloaded. This could be useful in a scenario where your ADFS-infrastructure is for instances under a DOS attack.
- Additional perf-counters
New performance counters were introduced in AD FS 2.0 federation server proxy and AD FS 2.0 federation server to have more measurement of AD FS 2.0 performance matrices.
More information on the update-rollup can be found here (http://technet.microsoft.com/en-us/library/hh526961(WS.10).aspx)
Some useful links:
Michael Van Horenbeeck