I assume that Office365 will be the only relying party trust. So you can go with a very simple deployment.
- 2 WAP (proxies) - with a load balancer on the front of the public VIP
- 2 ADFS servers with WID - with a load balancer on the front of the private VIP
You can go with WID. You won't be able to use the SAML artifact resolution (not used for O365 anyways) nor the embedded token replay attack detection. WID is already "highly available" since it will be running on each ADFS server without configuring
anything special. This is explained in details here:
- Federation Server Farm Using WID and Proxies https://technet.microsoft.com/en-us/library/dn554244.aspx
Note that if you don't care about Windows Integrated Authentication type of SSO, you can also looking at using just Azure AD and don't even deploy anything on premises. But it means that even users on domain joined machines will have to enter their
credentials the first time they want to use Office 365 everyday...