Microsoft does not recommend deploying new instances of AD FS. Instead, they encourage you to consider Entra ID (formerly Azure AD). This raises a common question: can you migrate an existing SAFIRE identity provider from AD FS to Entra ID?
Unfortunately, the answer is not straightforward. This document outlines the main challenges, along with some approaches you might consider.
No direct migration path In Entra ID, SAML identity providers are configured as “Enterprise Applications”. However, the cloud SAML provider does not offer feature parity with AD FS and has some fundamental limitations. We’ve previously documented how to integrate Entra ID with SAFIRE for a new identity provider and highlighted some of the caveats.
…
This documentation will guide you through the Microsoft Entra ID (Azure AD) configuration process as an authentication source in SimpleSAMLphp. By integrating Entra ID in this way, you can retain your users’ familiar login experience while leveraging SimpleSAMLphp’s flexibility to fetch and/or manipulate attributes from Entra ID and other sources.
While SAFIRE can directly work with Entra ID or SimpleSAMLphp (as explained in our Configuring Entra ID SAML-based SSO for SAFIRE and Configuring SimpleSAMLphp for SAFIRE documentation), you may find yourself in a situation where this approach better fits your use case.
…
While it is possible to connect Microsoft Entra ID directly into SAFIRE, this has several caveats you need to be aware of. To help you make an informed decision, the info boxes in this document highlight some of the things you need to consider. Read through it carefully before starting your implementation.
Microsoft recommends integrating Entra ID into SAFIRE via a SAML Proxy such as Shibboleth, which mirror’s the R&E federation communty’s guidence. (Some SAFIRE providers opt to use SimpleSAMLphp for this instead.) Doing this avoids many of the caveats highlighted below.
…