Active Directory Federation Services
Active Directory Federation Services (AD FS) is developed by Microsoft which run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across extranet. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity.
- Claims-based authentication involves authenticating a user based on a set of claims about that user’s identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication.
- It is part of the Active Directory Services.
- Identity federation is established between two organizations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.
The AD FS administration tool (adfs.msc) is supplied as a Microsoft Management Console (MMC) snap-in. The administration tool is used to add account and resource partners, map partner claims, add and configure account stores, and identify and configure federation-aware Web applications.
Benefits of ADFS
The following is a brief list of the major benefits to using AD FS:
Web single sign on (SSO)
AD FS provides Web SSO to federated partners outside your organization, which enables their users to have a SSO experience when they access your organization’s Web-based applications.
Web Services (WS)-* interoperability
AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS follows the WS-Federation specification (for passive clients; that is, browsers), which makes it possible for environments that do not use the Windows identity model to federate with Windows environments.
Partner user account management not required
The federated partner’s Identity Provider (IP) sends claims that reflect its users’ identity, groups, and attribute data. Therefore, your organization no longer needs to revoke, change, or reset the credentials for the partner’s users, since the credentials are managed by the partner organization. Additionally, if a partnership needs to be terminated, it can be performed with a single trust policy change. Without AD FS, individual accounts for each partner user would need to be deactivated.
Claims are defined in terms that each partner understands and appropriately mapped in the AD FS trust policy for exchange between federation partners.
Centralized federated partner management
All federated partner management is performed using the AD FS Microsoft Management Console (MMC) snap-in.
AD FS provides an extensible architecture for claim augmentation, for example, adding or modifying claims using custom business logic during claims processing. Organizations can use this extensibility to modify AD FS to finely support their business policies.
AD FS was first released in Windows Server 2003 R2. It has been updated with the following new and improved features for Windows Server 2008:
1. Improved support for Microsoft Office SharePoint® Services 2007 as a claims-aware application
2. Support for Active Directory Rights Management Services (AD RMS)
External users attempting to access an organization’s protected content are authenticated through AD FS. Once these external users are authenticated, AD RMS policies are enforced, and AD RMS will automatically provide the external user with appropriate content licenses to work with an organization’s protected content.
Administrators have granular control over how these external users interact with an organization’s content and can also define templates to apply to multiple partner relationships. Federated AD RMS in Windows Server 2008 is fully compatible with existing Office SharePoint Server 2007 deployments and fully supports down-level AD RMS clients.
3. Group Policy control of AD FS deployment
In previous versions of AD FS, there was no way to limit who deployed an AD FS server in the enterprise. Administrators now have the ability to control and stage the rollout of AD FS servers by limiting deployment through Group Policy.
4. Improved installation
AD FS is included as a server role and is installed using Server Manager, which automatically lists and installs all the services required by AD FS during installation. A configuration wizard is available to perform server validation checks during the AD FS installation. This feature not only makes installation easier, but also gives AD FS the same consistent install experience as other Windows components.
5. Improved import and export of trust policy during federated trust establishment
This improvement simplifies the process for bringing federation partners on board.
6. Events and Microsoft Operations Manager (MOM) alerts
Previous versions of AD FS lacked the ability to easily determine when certificates were going to expire. New events and MOM alerts allow IT administrators to be proactive instead of reactive in managing the certificates, dramatically reducing the possibility of user impact issues.
7. AD FS snap-in control of certificate revocation list (CRL) checking
In previous versions of AD FS, administrators occasionally had to disable CRL checking because partners issued their own certificates that were chained to an Internet authority, but did not publish their CRLs to the internet. CRL checking had to be disabled by manually modifying the trust policy of an XML file.
This procedure was not intuitive, difficult to troubleshoot, and the solution was a medium-high risk operation on the AD FS servers. The AD FS snap-in now allows CRL checking behavior (within the scope of AD FS) to be adjusted or disabled.