What is Active Directory Federation Services
How many times have we had to register different user accounts and had to duplicate our identities over online services? This involves in repeatedly providing our details over and over again to each service we newly want to join. Another scenario would be where an Organization A needs to collaborate with another organization B and provide a service in Organization B to employees of Organization A. In a such a case providing access to employees of organization A to these third party services in the traditional sense would require duplicating all the identity information and creating separate logins at Organization B.
Active directory federation services or shortly known as ADFS helps to solve this issue without causing a hassle of identity duplication. In ADFS a trust can be established between the organizations and identity information could be passed through a secure token. During authentication the employees organization can expose only the necessary information pertaining to the employee required by the partnering service provider by means of claims. These claims are attributes of the Active directory, can be an employees firstname, lastname, his/her date of birth. This type of partnership and identity sharing allows the following benefits for organizations.
- Allows flexible and quick partnerships to many users to third party services.
- Allows an organization to have strong control over what details of an employee is been passed to the partnering service.
- Updating of employee information reflects immediately to all partnering services.
- Employees do not feel they are browsing a service of a partnering organization.
- A quick domain password change resets the password for all of the partnering services.
- Once an employee resigns removing him/her from the active directory of the organization is sufficient to unregister him/her from all the partnering services.
- Using basic claims the Partnering service provider can modify its content provide authorization to specific functionality at a fine granular level.
How does Active Directory Federation Services work
When it comes to ADFS the common terminology includes has following.
- Identity Provider(IP)
- Resource Provider(RP)
Identity provider is the body which authenticates and provides the Identity of the user. In this case Organization A.
A resource provider or Service provider is the organization that provides the partnering services to other organizations.
The above figure illustrates how a partnering trust is established and how a user authenticates via multiple ADFS servers. Initially the user authenticates with the partnering service. The partnering service identifies the user domain and redirects him to his organizations ADFS login page. The user then logs in and is authenticated against the active directory of his organization. Once a successful authentication takes place the Secure SAML (Secure Assertions Markup Language) Token is created for the user with the claims. ADFS uses Signing certificates to ensure credibility and tamper prevention of its secure tokens. Once the token is signed by the private key of the identity provider its been then been passed to the Service provider. The service provider would read the Encrypted XML SAML token and extract out the claims automatically and provides the user access to the service.
Implementing and configuration
Setting up an ADFS server involves Configuring a Windows server environment, an Active directory and Signing certificates. All of these are properly guided in the following URL. ADFS 2.0 Step by Step Guide. ADFS is by far a vast subject and configuration ways are not only what I have listed here. There are different ways of configuring and federating services. There also other similar products like ADFS. A few of them are.
Further information can be obtained by visiting the above URLs. References – Active Directory Federation Services – technet