Understanding ADFS and Federation by a example:


Comparing SAML, WS-FED and OAuth: https://blogs.technet.microsoft.com/askpfeplat/2014/11/02/adfs-deep-dive-comparing-ws-fed-saml-and-oauth/

ADFS 3.0:

First impressions: http://blog.auth360.net/2013/09/13/first-impressions-ad-fs-and-windows-server-2012-r2-part-i/

ADFS overview: http://technet.microsoft.com/en-us/library/hh831502.aspx

Technet videos: http://technet.microsoft.com/en-us/video/ff701694

ADFS how to for Office 365 : http://goodworkaround.com/node/53

Replacing ADFS certificates: http://jorgequestforknowledge.wordpress.com/2013/05/15/replacing-adfs-certificates/

Enable auditing of issued claims: http://jorgequestforknowledge.wordpress.com/2013/07/08/enabling-auditing-of-issued-claims-in-adfs-v2-x-and-adfs-v3-x/

WAP (Web application proxy):

WAP Deployment using powershell: http://blog.kloud.com.au/2013/08/14/powershell-deployment-of-web-application-proxy-and-adfs-in-under-10-minutes/ 

Upgrading from ADFS 2.x to 3.0:


We cannot upgrade a 2012 ADFS Proxy to 2012 R2 ADFS Proxy

We cannot mix a proxy in 2012 ADFS Proxy with internal ADFS in 2012 R2

For proxies:

Add new WAP Proxy server box (2012 R2) on DMZ zone

For internal ADFS servers:

Add new 2012 R2 box on same zone than internal ADFS servers

Migrate WID DB from existing ADFS internal servers to the new 2012 R2 box


DNS Vip of HWLB in front of the ADFS proxies (exposed to internet) for adfs.mydomain.com will not change

DNS Vip of HWLD in front of the internal ADFS servers for adfs.mydomain.com will not change

But you need to add:

New WAP IP@s on HWLB device for ADFS-Proxy pool

Add new ADFS 2012 R2 IP@s on HWLB device for ADFS-Internal pool