Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Is there any drawback for creating a separate AD forest for external users of or

ID: 655800 • Letter: I

Question

Is there any drawback for creating a separate AD forest for external users of organization to authenticate them to access some web applications? Is there any performance and synchronization issues when the number of external users reach over 20,000 or 50,000?

Is it a bad idea to create a separate domain and authenticate external users against AD and build an SSO using ADFS; or it makes sense to use third party identity management and SSO solution like auth0, Okta, CA?

What benefit I would get if I rely on these commercial third party solutions?

Explanation / Answer

The only reasons to create a separate AD domain is to have a different password policy, to segment replication.

You can minimize risk of a compromised DC only by having a new forest. Any domain in a forest can result in compromised Enterprise Admin credentials.

The ADFS server must be trusted by both domains, so a Domain trust or a forest trust is needed. If you don't do this, then home realm discovery will become difficult.

If you intend to use MSFT online, Azure AD for synchronization, multiple domains and forests are supported but it's more complicated. Just know that when you provision in one location (US) it doesn't allow you to share the same namespace in the UK. (e.g. user@domain.com is country specific). This is a temporary limitation that will be corrected soon.

ADFS vs Ping vs Auth0? Well who are you integrating with? What are your in-house skills? do those providers have the PII protections you require?

Yes, AD can scale to over a million of objects (the US Army/Navy has a massive AD forest). This info is from 2007 so I'm sure it's much higher now.

Question for you - what do you have resources for: one perfectly robust AD infrastructure, or two infrastructures? (e.g. isolate the outages/load)

Related Questions

Is there a significant difference in gas mileage of a car for regular unleaded a
Question #3022799
Is there a significant difference in the level of community service participatio
Question #3389620
Is there a significant sense in which humans are highly complex organic machines
Question #129987
Is there a software (that is free and portable) that can package your files into
Question #656914
Is there a software in which I can use the governing equations of motion of poin
Question #657505
Is there a software license that allows free access to source code, but does not
Question #659614
Is there a software to automatically add bookmarks into a PDF document which has
Question #657435
Is there a solution for chapter 15 problem 1 in principles of managerial finance
Question #2792096
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Is there any difference between the proportion of americans who wish they were r
Next
Is there any evidence to suggest that the true proportion of each favorite is no

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.