What is ADFS and How it Works and Used For? (AD Federation Service)
What is ADFS and How it Works and Used For? (AD Federation Service). In today’s modern IT environment, Identity and Access Management (IAM) systems are more important than ever, especially given the number of individuals working remotely and the presence of digital risks lurking around. And as the IAM industry has expanded, many vendors have struggled to keep up with businesses’ shifting needs.
Businesses currently rely on various cloud based solutions to support crucial operations and give staff members versatility. As a result, when these trends emerged in 2003, Microsoft announced Active Directory Federation Services (ADFS) as an add on feature to the Windows Server operating system.
The tool enables users from different organizations to access applications on the Windows Server Operating System with a single set of login credentials. In this article, we will discuss ADFS, its components, and its functions.
What is ADFS and How it Works and Used For? (AD Federation Service).
What is ADFS?
Active Directory Federation Services is Microsoft’s claim based single sign on (SSO) solution. It facilitates access to all integrated applications and systems with just your Active Directory (AD )credentials.
Microsoft dominated the IT sector in 2000 and practically all enterprise software was on premise and Windows based. Consequently, this posed authentication issues for programs outside the Windows and the organization’s perimeter.
As a result, Microsoft developed ADFS as a chance for many enterprises to capitalize on the software as a service (SaaS) surge. However, the SSO solution enables the secure sharing of identification information outside a company’s network. This is to gain access to resources such as web apps hosted by organizations with which the company has built partnerships.
Ultimately, ADFS enables companies to create “trust relationships” with one another over the internet by transferring identities from on premise settings to cloud based environments. It can also use token standards such as cookies and JSON Web Tokens (JWT) to provide authentication services.
It functions similarly to any web application based SSO service that uses the Secure Assertion Markup Language (SAML) interface. However, people use ADFS on premises rather than in the cloud. To use ADFS, run it on Windows Server after installing the role in Server Manager. It is part of Active Directory services.
What is ADFS Used for?
For Users
The necessity to address the authentication issues caused by AD in a connected digital age led to the development of ADFS. One of the problems is that when users attempt to access integrated applications from the outside, AD cannot authenticate them.
Yet, users frequently need to use applications in the modern workplace that their organization’s AD doesn’t own or manage. Users can overcome these difficulties with third party authentication using ADFS.
When forming a partnership to use another organization’s online applications, Active Directory Federation Services provides a centralized location for managing and auditing employee identity information exchanged with their organization’s partners.
Using the default credentials from their organization’s Active Directory(AD), ADFS enables users from one organization to access applications of partner organizations. It also enables users to remotely access apps linked with AD using their usual organizational AD credentials through a web interface.
For Applications
The SSO solution eliminates the need for applications to store and secure usernames and passwords in a separate database. Organizations can use it to reduce requests for a password reset as there would be no need to keep passwords.
For Security
ADFS is used to reduce attacking threats as authenticated access to several applications is consolidated into a single login. It also provides multi factor authentication with over 15 authentication methods that users can set up in minutes.
How is ADFS Used?
These are the following use cases below:
Single Sign On (SSO)
Access to Internet facing apps or services is via Single Sign On (SSO). ADFS provides Single Sign On authorization to users who want to access apps across networks or organizations. It also offers continuous service.
Identity Management
The maintenance of identities is possible using ADFS. Identity management keeps expenses for maintaining user IDs low while maintaining security. An example is Office 365. You can implement ADFS in this case by configuring the Directory Synchronization (DirSync) tool, which establishes accounts in Microsoft’s domain that correspond to the accounts in the user’s domain.
ADFS: How it Works?
Primarily ADFS handles authentication using a proxy service that it hosts between AD and the target application. To provide users access, it employs a Federated Trust that connects it and the target application. This allows users to access the federated application via single sign on (SSO) without having to confirm their identity on the application itself. As a result, it acts as a bridge between the target application and AD to grant users authorized access.
Active Directory Federation Service Authentication Process
The steps involved in the Active Directory Federation Service authentication process are as follows:
- The user requests to log in to the target application.
- The target application redirects the user to the ADFS login page.
- The user enters their credentials (username and password) on the login page.
- When the submitted credentials are successfully verified, AD (Active Directory) issues an authentication claim.
- Next, the redirection link to the application or resource in question is sent to the user with the authentication claim. Note: The claim doesn’t include the username and password. It includes only personal information like the first and last names, email addresses, etc.
- The target application or resource accepts the claim and then logs the user in.
Components of ADFS
Active Directory Federation Services comprises four primary components, namely;
Active Directory (AD)
The identity data for ADFS is kept here. Beyond the company network, ADFS makes AD’s data available. Users are now able to use software that is Windows based and from third parties outside of corporate networks.
Federated Server
The Federation server manages federated trusts between business partners by distributing security tokens. It also handles external user authentication requests and issues security tokens for claims based on credentials kept in AD.
Federation Server Proxy
ADFS Web Server
It houses the Web Agent, which controls the security tokens and cookies used for authentication that is delivered to it.
Also Read
Disadvantages of ADFS
Added Maintenance Expenses
Organizations must take into account, the continuing operational costs of maintaining and running the service. Depending on how it is set up, ADFS may wind up costing more than expected, both directly (more infrastructure costs) and indirectly (increased complexity costs).
Regardless of the upkeep cost, servers must be patched, updated, and regularly backed up. Also, employees with advanced technical capabilities are required to manage trust between AD domains.
Overall Difficulty
The solution’s commissioning, configuration, and upkeep are not straightforward tasks. Therefore, adding a new application to the service is time consuming and technically challenging, which limits IT responsiveness.
Insecurity
While ADFS runs on a Windows Server, you must guard it to avoid jeopardizing the solution. Also, its standard installation is not as secure as it can be. There are several procedures that IT must do to safeguard it adequately.
License Cost
Even though ADFS is a free feature of Windows Server, it requires a Windows Server license and a server to run it, which incurs costs for the company. Notably, since the release of Windows Server 2016, the cost of a server license has risen, with licensing now done on a per core basis.
Other drawbacks of ADFS include;
- Lack of support of Remote Desktop connections.
- Unable to gain access to Active Directory resources.
- Does not support file sharing or printing from print servers.
Thank you for reading What is ADFS and How it Works and Used For? (AD Federation Service).
What is ADFS and How it Works and Used For? (AD Federation Service)
In conclusion, Active Directory Federation Service makes it possible to manage and access federated identity by safely transferring digital identity and entitlement rights across corporate and secure borders.
The most recent version of ADFS is ADFS 4.0 for Windows Server 2016.Microsoft enhanced the integration with SAML, auditing process and password management to federate Office 365 customers.
Take a look at more ADFS content here.
