Microsoft’s Active Directory Federation Services (ADFS) is an optional software component service for Microsoft’s Active Directory that runs on Windows Server Operating Systems.
ADFS provides users with single sign-on (SSO) access to systems and applications located across multiple organizations and services. This could include services such as Gmail, or Office 365.
Federated Services are not exclusive to Active Directory. Federated systems exist on other platforms as well as a means to allow single sign-on for their users to external applications.
Federated Services is a common Identity Management term that simply means the process of connecting two or more organizations or applications in such a way that authorization from one application will transfer to another federated application.
This process of Federated Trusts and validation allows users to share their authorization across applications and networks so that they are able to access different systems or networks with a single sign-on (SSO).
ADFS uses an access control authorization model that provides claims-based authentication to maintain application security and to implement federated identities.
How does ADFS work?
ADFS constructs the Identity Federation which acts as a middle man between two organizations.
On the initiating login side, the Federation server will control a database of User Identities and upon receiving an authentication request, will authenticate the user from the local Identity provider and issue a security token based on the user’s claim and the server’s claim rules.
On the destination side, the Federation server will evaluate and accept the identity as valid and allow appropriate rights to access the data on the destination server.
This process can be used with any Federated partners including external business systems or third-party applications and organizations that support the integration and are connected.
This process happens without ever passing the user password to the destination platform, but rather through the trust relationship established with ADFS.
What are the Benefits of ADFS?
As security risks and threats escalate to never-before-seen levels, businesses are faced with the need to show real-world valuation of the ROI of Identity Management tools.
Reducing the number of logins and passwords reduces security risks while also improving efficiency for both employees and IT staff.
The Cost Of Identity Management
This functionality has become increasingly more important as employees rely more and more on SaaS web applications that typically require their own accounts.
Managing and restricting access or privileges becomes a task that can be accomplished in minutes for thousands of user accounts.
Active Directory Federated Services supports Multi-Factor Authentication to add a layer of protection to verifying User credentials.
ADFS provides multiple ways to authenticate your users including Security Assertion Markup Language (SAML 2.0) SSO, Lightweight Directory Access Protocol (LDAP), and Kerberos.
What are the limitations of ADFS?
Operational Costs: Managing multiple federations, systems, and certificates across multiple infrastructures can incur high maintenance and usage costs.
Technical Difficulty: Onboarding new applications or systems to an ADFS is a potentially complicated process that is often very technically complex and unique depending on the requirements and policies of the application.
Other minor considerations include the inability to share files or print via ADFS or access Active Directory Objects. And lastly, Connecting via Remote Desktop is not supported.
What are the ADFS requirements?
Requirements for ADFS
- Certificate requirements
- Hardware requirements
- Proxy requirements
- Active Directory Domain Services requirements
- Configuration database requirements
- Browser requirements
- Network requirements
- Permissions requirements
Alternatives to ADFS
Azure AD – Azure AD is Microsoft’s cloud version of ADFS however it does lose some of the functionality, rules, claims and prevents using certificates as a means to log in.
IDHub – IDHub allows you to maintain your local on-premises version of Active Directory and Improve your Identity Management and Access controls beyond those offered by Azure AD or ADFS.