Active Directory Federation Service
Microsoft has a software service that runs on Windows operating systems, known as the Active Directory Federation Services (ADFS). The function is to enable a Single Sign-On (SSO) access to applications and systems without the capacity for Integrated Windows Authentication (IWA) through the Active Directory. It works by building an identity federation between two associations by setting up trust between two security domains.
Further, for Access Control Authorization, ADFS utilizes the claims-based model to guarantee security across applications through the federal identity created. Claims-based authentication refers to a process in which a user's identity is verified through a set of claims associated with their identity.
This component was developed to provide users with flexibility. Organizations that use it are empowered to control their employees' accounts while making the user experience simple. After all, employees only need to remember a single set of credentials to access multiple applications through the SSO factor.
How Does ADFS Work?
On the one end, an organization server verifies the user using the traditional methods in ADFS. Afterward, it issues a token that contains a progression of data about the user, including their identity. On the opposite side, another organization's server accepts the token. It issues another one for the area servers, as an acknowledgment of the personality.
For example, if a company migrates its ADFS from on-premises to Azure, it will achieve high availability. Additionally, it will find it easy to deploy ADFS on Microsoft Azure IaaS.
The process above happens in the following steps:
- The user goes to the service they want to access, such as a partner website, to get product details.
- The website requests an authentication token.
- The user passes the request for a token to the ADFS server
- The ADFS server provides a token containing a set of claims that belong to the user
- The user forwards the token to the website that requested it, in this case, the partner website
- The partner website allows the user to gain access to the website. The website may also fail to grant permission, depending on the Federated Trust Service in place.
The Application of ADFS by Companies
The creation of ADFS came from the need to deal with the authentication challenges that resulted from the Active Directory. The problems were largely attributed to the interconnectivity that was rapidly taking over the online world. AD and IWA both have some limitations in relation to modern authentication. They both cannot authenticate users externally accessing AD-integrated applications. This became a significant challenge in the contemporary workplace, as users regularly need to access applications not internally owned by their Active Directory organization.
The ADFS component comes in to resolve these authentication challenges. Unfortunately, it poses some risks and disadvantages. The component solves this challenge for users working remotely and who need to access applications integrated with AD. It offers a flexible solution whereby users can provide authentication using their company's AD credentials through a web interface.
Besides, users from one organization can access applications stored on another organization's platform, even if they are beyond the realm of the company's AD domain. For example, users can access applications on a partner's modern cloud services, which are now part of many organizations' IT infrastructure. Statistics show that approximately 90% of organizations have AD in their domain.
Examples of ADFS in use include:
- Single Sign-On (SSO): SSO authorization comes in handy for users who want to access applications hosted on third-party networks or organizations. It provides seamless SSO access to applications and services that rely on the internet.
- Identity Federation (Identity Management): this is where a user's identity is centralized to make Identity Management seamless. This is crucial for the maintenance of security while lowering the costs associated with managing user identities.
The application of ADFS in Office 365 is as follows:
- The users have an AD environment with a dedicated domain created for each user's subscription to Office 365.
- ADFS comes into play by setting up a directory synchronization tool. This helps to create accounts within the Microsoft user's domain, matching the already existing accounts.
- A user can choose the accounts to harmonize in the AD.
The Components of ADFS
The first component of the ADFS is the Active Directory, which is the storage location of the Identity Information to be used by ADFS.
- Federation Server: this is the set of tools required to manage federal trusts between two or more business partners. It functions by processing authentication requests from external users. It also works by hosting a security token service, from which tokens are issued for claims-based verifications from the Active Directory.
- Federation Server Proxy: this is the element installed on the extranet of a company. External users connect to this proxy when they need a security token. Its function is to forward the requests to the Federation Server, which is not directly exposed to the internet, to protect it from security risks.
- ADFS Server: This platform hosts the ADFS Web Agent responsible for managing the security tokens and authentication cookies it receives through authentication requests.
The Risks and Disadvantages of ADFS
ADFS has some drawbacks that pull it back from being an ideal authentication solution. Although it's a free feature in Windows Server, commissioning it requires a Windows Server License, whose costs have increased since 2016. It is also necessary to have a server to host the service, which is an expense to your company.
Hidden Cost of Maintenance
In addition to the direct costs of commissioning ADFS, you also must budget for ongoing operational costs. ADFS servers require regular updating, patching, and backing up. Maintaining and managing the service is not free, as these tasks require the input of technical experts with deep knowledge. High availability is also crucial since the service is critical. Depending on its configuration, it can cost more than you anticipate.
The process of commissioning, configuring, and maintaining an ADFS service is not an easy feat. Adding applications to the service is time-consuming and requires deep technical input, factors that hinder IT agility.
An ADFS solution is not secure straight out of the box. For enhanced security, your IT team needs to perform some steps to harden and secure the Windows Server to ensure the solution poses no risk.
The benefits of using an ADFS solution outweigh the risks and disadvantages involved. The downsides are easy to work around if you prepare a budget for the solution and have an expert help you with the involved processes. Velocity IT is your go-to IT service provider in Dallas and Fort Worth. Call us for all your business IT needs and Microsoft support, and one of our experts will be there to help.