The following article provides a short introduction on Microsoft ADFS 2.0 (Active Directory Federation Services) technology to the IT staff.
The article is based on Mr. Manu Cohen-Yashar (Sela Group), Windows Azure Security Identity & Access lecture that was presented in Microsoft Israel office.
In Windows 2003 R2, Microsoft released the first generation of the ADFS services.
According to Microsoft official post, “Active Directory Federation Services (ADFS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. ADFS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries.”
I Windows 2008/2008 R2, Microsoft released the second generation of ADFS services. ADFS 2.0 provides a new feathers, like: Advanced integration in Visual Studio, WCF technology support, PowerShell integration, WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.
A common mistake of junior IT staff is to think that the ADFS technology basis is a new invention. However, you should be note that the technology basic is used by a third party providers more then 12 years (e.g. Citrix etc.).
From the user end point, the ADFS technology provides a transparent SSO (Single Sign On) solution. In the old technology (Domain/Forest trusts) , to allow user from Active Directory Forest A to logon to resource of Active Directory Forest B, we had to established domain/forest trust.
The old technology force us to have a full connectivity (e.g. How to configure a firewall for domains and trusts) between the two forests and provides a low security solution. Also, the old technology required from us to invest much more time and resources to setup the connection between the two
Active Directory forests. Other scenarios, like the need to intergrade with a third party operating system/realms may lead us to more complex deployment issues.
In ADFS technology, the user obtain a Token from Forest A and present it to Forest B. The Forest B is trust Forest A ticket provider (STS) and after verity the user ticket signature etc. , it map the user from Forest A to some identity/role/user etc. in Forest B.
To allow ADFS to function, you only need to allow one way HTTPS (SOAP) connection. By implementing ADFS and ticket provider (STS), you can create multiple secure connection to a third party resources by using a secure and ,ore comfortable solution.
You can even use a additional tool to synchronize Forest A account to Forest B accounts and by this creating a easy 1 to 1 user mapping. The same technique is used by Microsoft Office 365 solution.
The following slides will provide a short overview how ADFS 2.0 is implemented in Microsoft Azure platform.
To downloaded Microsoft ADFS 2.0, please use the following link: Active Directory Federation Services 2.0 RTW
For further information, please review the following links: