Active Directory Federation Services
Encyclopedia
Active Directory Federation Services (AD FS for short) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On
access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity
.
Claims based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims based authentication.
In AD FS, identity federation is established between two organizations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory
Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.
In practice this approach is typically perceived by the user as follows:
AD FS integrates with Active Directory
Domain Services, using it as an identity provider. AD FS can interact with other WS-* and SAML 2.0
compliant federation services as federation partners.
AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity
Federated identity
A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems....
.
Claims based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims based authentication.
In AD FS, identity federation is established between two organizations by establishing trust between two security realms. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.
In practice this approach is typically perceived by the user as follows:
- The user logs into their local PC (as they typically would when commencing work in the morning)
- The user needs to obtain information on a partner company's extranet website - for example to obtain pricing or product details
- The user navigates to the partner company extranet site - for example: http://example.com
- The partner website now does not require any password to be typed in - instead, the user credentials are passed to the partner extranet site using ADFS
- The user is now logged into the partner website and can interact with the website 'logged in'
AD FS integrates with Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
Domain Services, using it as an identity provider. AD FS can interact with other WS-* and SAML 2.0
SAML 2.0
Security Assertion Markup Language 2.0 is a version of the SAML OASIS standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between an...
compliant federation services as federation partners.
AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.
See also
- Claims Based Identity
- Digital identityDigital identityDigital identity is the aspect of digital technology that is concerned with the mediation of people's experience of their own identity and the identity of other people and things...
- Identity Metasystem
- Information CardInformation CardInformation Cards are personal digital identities that people can use online, and the key component of Identity metasystems. Visually, each Information Card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select...
- LDAP
- Windows CardSpaceWindows CardSpaceWindows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
- Windows Server 2008
- WS-FederationWS-FederationWS-Federation is an Identity Federation specification, developed by BEA Systems, BMC Software, CA Inc., IBM, Layer 7 Technologies, Microsoft, Novell, Ping Identity, and VeriSign...