Additional Lessons
Lesson 2

UNDERSTANDING ADfS

By Sai Kurada
August 16, 2023
ADFS, or Active Directory Federation Services, is a Microsoft service that provides Single Sign-On (SSO) and identity federation capabilities. It allows users to access multiple applications and services using a single set of credentials, typically their Active Directory (AD) username and password. ADFS facilitates secure and seamless authentication and authorization across different domains, organizations, or cloud-based services.

Here's a breakdown of the key components and concepts related to ADFS:

Federation:
  • Federation refers to the establishment of trust and the sharing of identity information between different security domains or organizations. It enables users to access resources in one domain without having to create and manage separate user accounts in each domain.

Single Sign-On (SSO):
  • ADFS provides SSO functionality, allowing users to log in once and then access multiple applications and services without the need to re-enter their credentials.
  • SSO enhances user convenience and security by reducing the number of passwords users need to remember.

Claims-based Authentication:
  • ADFS uses claims-based authentication, where identity attributes or claims about the user are exchanged between the Identity Provider (IDP) and the Service Provider (SP).
  • Claims can include information like the user's name, email address, group membership, and more.

Identity Provider (IDP):
  • The Identity Provider is responsible for authenticating users and providing claims about their identity.
  • In the context of ADFS, the IDP is often an organization's on-premises Active Directory.

Service Provider (SP):
  • The Service Provider consumes claims from the IDP to grant or deny access to its resources.
  • SPs can be cloud-based applications, web services, or other systems that rely on user authentication.

Security Token Service (STS):
  • ADFS includes a Security Token Service, which issues security tokens containing claims about the user's identity.
  • These tokens are used for SSO and for proving the user's identity to SPs.

Trust Relationships:
  • Trust relationships are established between the IDP (ADFS) and SPs.
  • Trust can be achieved through the exchange of digital certificates and a secure token-signing process.
  • Once trust is established, the IDP can provide claims to the SPs, and the SPs can trust those claims for user authentication and authorization.

Multifactor Authentication (MFA):
  • ADFS supports MFA, which enhances security by requiring users to provide multiple forms of authentication, such as a password and a mobile app verification code.

Web Application Proxy (WAP):
  • WAP is a component of ADFS that allows secure remote access to web applications, even from outside the corporate network.
  • It provides a reverse proxy and pre-authentication for web applications.

Access Control Policies:
  • Administrators can define access control policies and rules to specify who can access specific resources and under what conditions.

What Are the Different Parts of ADFS?

ADFS is comprised of four primary components:

  • Active Directory - This is where ADFS’s identity information gets stored. ADFS extends AD’s information beyond the enterprise’s network. This allows users to access Windows-based and third-party applications while outside of corporate networks.
  • Federation server - It manages federated trusts between business partners by issuing security tokens. The federation server processes authentication requests from external users and issues out security tokens for claims based on credentials stored in AD.
  • Federation server proxy - This is deployed on the organization’s extranet and links external users and the federation server. This way, the federation server does not get exposed directly to the internet in order to prevent security risks.
  • ADFS web server - It hosts the ADFS Web Agent, a service that either allows or denies a user access to web applications based on authentication cookies and security tokens sent to it.

How Does ADFS Work?

  • ADFS uses a claim-based authentication, which verifies a user from a set of “claims” about their identity from a trusted token. ADFS then gives users a single prompt for SSO, allowing them to access multiple applications and systems even if they reside on different networks.
  • In ADFS, two organizations establish identity federation by confirming trust between two security realms. A federation server in one organization authenticates a user through the standard Active Directory Domain Services (AD DS). The AD DS then issues a token consisting of a series of claims about the user, including their identity in the organization.
  • On the other side of the organization (resources side), another federation server confirms the tokens and provides another token to allow local servers to accept the claimed identity. This enables the system to provide controlled access to its resources without requiring a user to authenticate directly to the application.

The diagram below summarizes the workflow for ADFS-based systems: