Imagine you are at the airport, and you have handed over your boarding pass and ID to the airline personnel. The officer checks your name and passport number against their database to ensure that you are authorized to board the plane.
What if they were unable to access their directory for the complete list of passengers who bought tickets? Without data, they would not have a base to compare your personal data with and would lead to a system failure.
The same principle works for Single Sign On (SSO). If you are unable to access complete user data stored in a secure and organized way, you would not be able to compare that data with what the user is submitting for authentication, and subsequently unable to verify their identity and grant access. A robust directory service is an essential prerequisite for SSO.
What is Active Directory Federation Services (ADFS)?
Active Directory Federation Services is a web service and a feature in the Windows Server operating system that allows you to share identity information outside a company’s network. It authenticates users with their usernames and password. Users can access certain applications without being prompted to provide login credentials repeatedly.
The applications can be on the cloud, local, or even hosted by other companies. It doesn’t matter who owns these applications or where they live. The user accounts can be maintained by the administrator from a single place – Active Directory.
Why Do You Need ADFS?
Active Directory Federation Services provides a platform for managing online identities and providing single sign on capabilities. At present this is very important because of the transitions being made from running on premise applications to running applications on the cloud.
When applications are run on premises, access rights to them can be granted to Active Directory objects users and groups. Once users log into Active Directory they are recognized irrespective of which servers they are connecting to access applications and other resources.
However, this model has its limitations for cloud based applications.
For example, when you log on to your computer in the morning using your AD credentials, your identity is established after your credentials get verified. The same credentials will then be used for using any local resources throughout the organization.
Now, if you want to access Disney Plus, it won’t recognize you automatically because technically Disney Plus is a cloud based application. Regardless of the fact that you are logged in with your domain user id and password, there is no trust between Disney Plus and your domain. Disney Plus uses its own user accounts, so you would have to provide credentials specific to that site.
It is these types of challenges that have made ADFS so important and so widely adopted. Managing credentials across multiple applications can be a nightmare for the users as well as the support staff. ADFS makes it easy.
What Can You Do With ADFS?
You may have come across the use of the word ‘trust’ between companies/partners before, called Federal Identity Management (FIM). ADFS runs on this core concept. The concept of FIM is integrated with Windows using Active Directory. Since AD stores information of all users ( user IDs and passwords), it acts as the base identity store. ADFS uses all of this identity information in Active Directory and makes it available outside your network. This information can be used by other organizations and applications.
ADFS as an identity access solution supports the following:
- Identity Federation (Identity Management): Identity management is the process of managing information about the identity of users and control access to resources. The basic purpose of the Identity Federation is to have a centralized or linked identity that helps in increasing productivity and security while being cost effective.
- Single Sign On (SSO): It provides computers that are internal or external to your network with single sign on access to applications or services that are internet facing.These user accounts and applications could be located in completely different networks or organizations.
Due to the rising number of applications and services a centralized login system has become a necessity. It is not only convenient for the users but is equally simple to manage.
What Are The Components Of ADFS?
There are four major components of ADFS:
- Active Directory: This is where all the identity information is stored to be used by ADFS.
- Federation Server: It contains the tools that are required to route requests that come in from external users and also hosts.
- Federation Proxy Server: Hosts the Federation Service Proxy role service of ADFS. This is done since the federation server is not exposed directly to the internet as it is heavily dependent on the AD. So the proxy server forwards the requests from the outer world to the federation server.
- ADFS Web Server: This web agent manages security tokens and authentication cookies that are sent to the webserver for authenticating external users.
Despite everything that is discussed there are certain downsides to ADFS from an infrastructure standpoint:
- It does not allow access to share files or print servers
- It does not allow active Directory resources
- It does not authenticate ‘older’ web applications
- It does not allow connection to servers using Remote Desktop
- ADFS, although straightforward, can be complex for novices. ADFS skills are required to be acquired.
- In the present culture of BYOD (bring your own device), ADFS needs to have AD domain accounts which only work on domain joined devices.
What Is Lightweight Directory Access Protocol (LDAP)?
Lightweight Directory Access Protocol (LDAP) is a protocol that allows applications to query user information rapidly. For example, someone in your office wants to do two simultaneous activities. Send an email to a colleague and print the mail conversation on a new printer. LDAP makes both activities possible.
Companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is used for maintaining and accessing such data. It is an open, vendor neutral application protocol that can also tackle authentication. So, users can sign on just once and access many different files on the server.
LDAP is a protocol. Hence, it does not specify how the directory program works. Rather it is a form of language that helps the users to find the information they need very quickly.
Since LDAP is vendor neutral, it can be used with a variety of different directory programs. A directory contains data that is:
- Static: The information does not change much, and when it does, the shifts are subtle.
- Descriptive: Multiple points, such as name and location, come together to define an asset.
- Valuable: Data stored within the directory is essential to core business functions, and it is touched over and over again.
What Can You Do With LDAP?
The common use of LDAP is to provide a central place for authentication. It stores usernames and passwords. LDAP can be used in different applications or services to validate users with plugins. LDAP can be used to authenticate usernames and passwords with Jenkins, Kubernetes, Docker, Linux Samba, and Open VPN servers.
LDAP single sign on can also be used by system administrators to control access to an LDAP database. It is also used to add operations into a directory server database, bind or authenticate sessions, delete LDAP entries, search and compare entries using different commands, modify existing entries, extend entries, abandon requests or unbind operations.
Although LDAP is used in Microsoft’s Active Directory, it can also be used in other tools like Open LDAP, Red Hat Directory Servers, and IBM Tivoli Directory Servers.
When To Use LDAP?
If an organization is having problems in deciding when to use LDAP, they should consider it in a few use cases. They should consider Lightweight Directory Access Protocol if:
- The organization has a lot of smaller data entries
- A single piece of data needs to be found and accessed regularly
- The organization wants all smaller pieces of data in one centralized location, and there doesn’t need to be too many combinations between the data.
What Are The Components Of LDAP?
An LDAP configuration is organized in a simple “tree” hierarchy consisting of the following components:
- The root directory (the starting place or the source of the tree) which branches out to
- Countries, each of which branches out to
- Organizations, which branches out to
- Organizational units (division, departments, and so on), which branches out to (includes an entry)
- Individuals (which include people, files, and shared resources)
An LDAP directory can be distributed among many servers. An LDAP server is called a Directory System Agent (DSA). It receives requests from the user, takes responsibility for the request, passes it to other DSA if necessary while ensuring a single coordinated response for the user.
ADFS vs LDAP
LDAP is a lightweight subset of the X.500 Directory Access Protocol. It has been around since the beginning of the 1990s. It enables anyone to locate resources on the internet or on a corporate intranet. LDAP single sign on also allows system admins to set permissions to control access to the LDAP database. It ensures that the data stays private.
ADFS on the other hand is focused on the Windows environment. LDAP is more flexible. It can include other types of computing including Linux/Unix.
LDAP is ideal for situations where you need to access data frequently to add and modify. It means LDAP works especially well with passwords. ADFS does not allow access to shared files or print servers.
An LDAP user can authenticate users in real time. It compares the data presented to what’s stored in the LDAP database instantly so that no sensitive user data needs to be stored in the cloud. ADFS does not authenticate older web applications.
Both the authentication tools have been explained for you in detail. Find the solution that makes it easier to handle authentication for your users, providing efficient and secure authentication linked to the policies and user status in Active Directory.