If you’re harnessing a hybrid cloud to deliver Windows applications and services, such as Office 365, deploying Microsoft Active Directory’s Federation Services (ADFS) with compatible global enabled load balancers is a great way to ensure consistent identity services across the corporate datacenter and public cloud.
Simply put, ADFS is an Active Directory component that provides users with single sign-on to systems and applications located outside typical organizational boundaries, whether at a partner or other site or a cloud service. ADFS requires ADFS servers, in addition to Windows domain controllers, to function.
The best way to harness the high availability, disaster recovery and business continuity of a hybrid cloud architecture is to deploy Active Directory domain controllers, ADFS services and load balancing software with global load balancing capabilities on both sides of the datacenter-to-cloud connection.
fig 1. Hybrid Cloud Topology
As with most IaaS and PaaS cloud services, Microsoft Azure allows the purchasing and deployment of all of these components, including a virtual software load balancer on the Microsoft Azure end of the connection.
On the enterprise datacenter side of this architecture, a load balancer with global services is deployed in front of two ADFS servers for scalability and ADFS resilience in the case of a server or an application failure. If one ADFS server fails, load balancer application and server health checking detects the failure and direct requests to the remaining functioning server. The Azure environment also includes a domain controller and one or two ADFS servers with a global enabled load balancer. When a user attempts to log into Windows or Office 365, a load balancer provides an IP address of an available ADFS server.
There are at least two possible deployment scenarios, depending on your requirements. In one scenario the load balancer would direct traffic to the least busy enterprise datacenter ADFS server, with global failover to the Azure datacenter ADFS server in the event of an enterprise datacenter outage. Another scenario might direct traffic to the best ADFS server--either on premises or in the cloud--depending on the user’s location or proximity to either environment.
This solution can also be configured with Microsoft Azure as the primary location if business needs require it.
There’s no need for the user to have any knowledge of which ADFS server or datacenter is used. He or she would just log into Windows and Microsoft Office 365 as always.
The beauty of this configuration is not only user single sign-on and high availability. It’s also site resilience. Suppose a local disaster or other fault takes down the entire enterprise datacenter or just the domain controller or ADFS server. Global load balancing health check services would detect the outage and direct all user access to the ADFS servers running on the Microsoft Azure site, providing users working at home, on the road or even on premises, with full Office 365 access.
Depending on the application or service, other optional load balancer offerings, such as SSL termination, authentication and access control (used more typically for Web sites and applications), intrusion prevention and application level firewall could be deployed as well.