Change in Supportability for WID-based ADFS farms

In case you didn’t notice, Microsoft changed the Supportability statement around ADFS farms that run on a Windows Internal Database (WID) backend.

Previously, WID-based ADFS farms were limited in support for the amount of ADFS servers you could run and the maximum number of Relying Parties you could register.

  • A maximum of 5 ADFS Servers, if you are running more than 10 Relying Parties.
  • A maxiumum of 5 Relying Parties, if you are running more than 5 ADFS servers (max 10).

pretty narrow – and limiting in the way you can build ADFS farms in WID. Microsoft were taking it on the safe side, to ensure you do the right thing and design your critical ADFS farm on SQL – which pretty much endlessly scales, should you need additional capacity.

There is also SQL Server support for additional features, that today cannot be used with WID-based farms:

  • Token Replay Detection
  • SAML Artifact resolution

Now – Microsoft reviewed their supportability statement and tested how far they could go with WID. Apparently, they found WID could be pushed a lot further than initially allowed, while keeping performance and WID replication intact. The new limits for WID-based ADFS farms are:

  • A maximum of 30 ADFS Servers
  • with a maximum of 100 Relying Parties federated/registered.

now that’s a lot – and it opens up a wide range of additional scenarios and designs, while keeping the complexity to a minimum. I was a WID fan for quite some time, as you can read here: and I’ve been recommending WID over SQL to many customers. SQL is a beast you need to know how to tackle, feed and keep happy. Many customers, especially Identity-focused teams or your classical “AD team” haven’t really been in this business yet. Their core business is identity, logon, SSO. And in some cases, SQL made a significant financial difference for first-deployment projects, when there wasn’t a highly available SQL instance with capacity around.

If you need Token Replay Detection and SAML Artifact resolution, you still need to work with SQL – this statement/support didn’t change for WID.

Whoop whoop for good news!

No Comment