In this article, we will learn about the concept of Active Directory Federation Services (AD FS).
- Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends or provide end users’ single sign-on (SSO) access to applications and systems outside the corporate firewall.
- Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries.
- AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
What actually AD FS does.
- Microsoft’s traditional Active Directory technology stores usernames and passwords and uses them to manage and secure access to computers on a Windows domain. It also provides single sign-on SSO access to corporate applications.
- AD FS builds upon this functionality to authenticate users on third-party systems, such as another company’s extranet or service hosted by a cloud provider.
- Using single sign-on SSO capabilities, AD FS can authenticate a user to different, related web apps during a single online session.
- AD FS shares the user’s identity and access rights, also known as claims (Attributes), across the organization’s security boundaries.
- When users attempt to access a certain web app from one of their trusted business partners — also known as a federation — their organization must authenticate the employee’s identity information via claims to the host of the web app. The host can then make authorization decisions based on the claims.
Benefits of AD FS
- Active Directory Federation Services aims to reduce the complexity around password management and guest account provisioning, and it has taken on additional importance as organizations and employees rely more on software as a service (SaaS) and web applications.
- SaaS and web apps typically require their own user accounts, and AD Federation Services ties those usernames and passwords to existing identities. Once a user logs in with his or her Windows credentials, AD Federation Services authenticates access to all approved third-party systems.
- IT can provide sign-on and access control based on a unified set of credentials. Additionally, the feature provides this control across modern and legacy applications, on-premises and in the cloud.
Limitation of AD FS
- It requires additional infrastructure requirements and costs to set up. Like any feature added to an infrastructure, AD FS may add some points of failure.
Single Sign-On SSO
Single Sign-On SSO capabilities allow federation partners to share a streamlined experience when they use the organization’s web apps.
Through a federation specification called WS-Federation, AD FS’ federated identity management system is interoperable with other products that support web services architecture and even environments that don’t use the Microsoft Windows identity model.
AD FS supports the Security Assertion Markup Language (SAML) 1.1 security token type and Kerberos authentication, and can also change claims using a customizable access request. Through this extensible architecture, organizations can adjust AD FS to work with their current security and business frameworks.
I hope, You guys found something useful.