ADFS authorisation but only local sign on

Question

We do not have ADSF at present, so I cannot test this, but I would like to know if it is possible to authenticate onto a separate domain, when only signing on locally (but using domain credentials).

EG

I have a laptop that is part of a domain (WORK-DOMAIN). The plan is to use ADSF to authenticate and make use of some resources on a separate, currently untrusted domain (RESOURCE-DOMAIN).

My question is, if I'm working from home, I am logged in with my domain credentials, but I am not on the network (I don't VPN on to the network). Will ADSF accept me as being authenticated on the domain, even if I'm not currently on the network?

I hope this makes sense... Thanks in advance.

Answer 1

You need an ADFS per domain. So you would have ADFS-WORK-DOMAIN and ADFS-RESOURCE-DOMAIN.

You are not part of the RESOURCE-DOMAIN so when you navigate to it, you will have to use Forms Based Authentication and use the credentials on that domain's DC.

If you federate the two ADFS and you are at work, then you will be able to access RESOURCE-DOMAIN via WIA using your WORK-DOMAIN credentials. This is because the two ADFS trust each other.

Answer 2

adfs supports several authentication methods. You could use forms based auth to pass your username and password when at home to adfs. When on corporate network you'd use windows integrated authentication. The key thing is to ensure adfs service account has the ability to validate credential of user. This is where your domain setup and trusts matter. As an example if adfs servers and service account were all in user domain then this is simply and works.