Active Directory Federation Services (AD FS) – Part 1
AD FS is a service which allows to securely exchange identity information between trusted business partners. Let’s assume Company A and Company B is business partners. Company B management wants to access Share point portal runs on Company A in secure manner. With use of ADFS Company B can provides the authentication information in form of “Claims” to Company A. then Company A will use “trust policy” to map these claims in to claims which share point web application will understand. Then based on that outcome system will make the authorization decisions.
This ADFS services also used to provide single sign on (SSO) experience between on premises active directory and windows azure active directory instance.
1. Single Sign On (SSO)
ADFS service will give SSO experience to federation partners to access its partner’s web based applications.
2. Easy Partner’s User Account Management
Between federation partners, the user identities, attributes, group memberships etc. managed by the partner’s organization. So you do not need to worry about changing, activate/deactivate user accounts used for the authentication. Also in event of partnership termination, it can be done with single trust policy change and do not need to worry about user accounts.
3. Web services Interoperability
AD FS federated identity management solution is interoperates with other security products that supports WS-* web services architecture. It allows to make federation partnerships with environments which do not use windows identity model.
4. Centralized federation partner management
All the federation partnerships can manage using AD FS MMC.
5. Extensible architecture
Organizations can use the extensibility to modify AD FS to support its business policies.
AD FS Deployment
In order to install AD FS need at least 2 servers. One server is to hold AD FS and other server will holds Web Application Proxy service. This 2 roles can’t install in one server.
To install AD FS, servers must be joined to the domain.
Client – Web Application Proxy – Federation communications are based on HTTPS. So if your organization do not runs with CA, make sure you apply 3rd party SSL along with proper DNS entries before AD FS configurations.
Also port 443 should open in order to proceed with following communications,
1) Client computer should be able to connect AD FS or Web Application Proxy Server using HTTPS (443)
2) AD FS and Web Application Proxy servers should be able to communicate using HTTPS (443)
Web Application Proxy
Prior to Windows server 2012 R2, this service was called as Federation server proxy. This service should be hosted in a server in perimeter network. This will be act as a gateway connecting a host in unprotected network to federation server in protected network.
This is the end of post and in next article let’s look in to AD FS deployment in demo environment. If you have any question about the post feel free to contact me on firstname.lastname@example.org