ADFS 2.0 and trust in a multi-forest environment
- have ~200 forests in corporate network. these user/account forests. e.g: forest b, forest c, forest d , on. - adfs 2.0 has been setup in forest , applications (mainly web-based) under forest a. - 2-way transitive trust have been established between <> b, a<> c, <> d , on. the challenge is: 1) these many forest-trusts cause security risk ? user in forest b able see resources/accounts in forest c, d etc? 2) since in adfs claims rule, mapping e-mail-addresses (as active dir ldap attribute) nameid (outgoing claim type), , email addresses known everyone. cause greater risk if person malicious intent, creates fake user in forest b (eg. b\alvin shane) given same email user forest c? will fake user in forest b have same access/privileges user in forest c when email address matching? hi, if set forest between a <> b, a<>c, forest b not able see resources in forest c. forest trusts can created between 2 forests , ...