Hello all :)
My client currently has a SP2013 farm (3-tier) originally designed to authenticate clients via AD only. Everything is working in this respect, but they now wish to extend the user-base to allow clients to access the portal, teamsites and mysites from mobile devices. The main criteria they have is that clients shouldn't need to repeatedly log on, especially when browsing between web applications. Browser default settings must be used on mobile devices, so browsers like Safari are going to cause an issue here as the default settings don't retain cookies or credentials across sessions. Most clients will be using iPhones and iPads.
To that end, I'm considering offering them an ADFS 2.0 infrastructure to perform claims based authentication vs. AD - a pretty standard ADFS scenario. My question is not so much a how-to, more of an is-this-feasible, although a rough how-to outline would be appreciated -
- Three web applications (portal, teamsites, mysites) all already have external URLs and are accessible internally and externally on the same URL.
- The client wants to retain the same URLs for both internal and external clients, domain-joined and non domain-joined devices. HTTPS is already configured.
- Domain joined clients should still authenticate via AD (using default NTLM currently). Client devices in the Intranet Zone already have seamless logon, this should not change.
- External/non domain joined clients should be redirected to a logon page. One logon should grant them access to all three web applications seamlessly (single sign-on is the primary goal)
I would like to present such a solution to my client, however this isn't something I've ever set up. That said, I understand the concepts, but would like to be sure all of the above is possible before saying it is :)
Any help with this is appreciated :)
sysadmin