Active Directory Federation Services
The fundamental purpose of Active Directory Federation Services (ADFS) is to take advantage of user single sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries. The following are some of the key features of ADFS:
Classic Web SSO
Classic Web SSO scenarios involve cases where the user accessing an application are managed in an extranet directory collocated with the application. ADFS classic Web SSO features offer stronger authentication than conventional means through forms and client-side certificates, and a SSO cookie eliminates the need to re-authenticate for access to other applications in a federated application pool. This functionality, which has been provided by third parties in the past, is now integrated into the server platform with ADFS in Windows Server 2003 R2.
Federated Web SSO
With federation, the user authentication process (presenting and verifying credentials) takes place in a separate environment from the one where the application resides. ADFS enables federation of web applications, enabling customers, partners, and suppliers from different organizations to have a similar, streamlined user experience when they access another organization’s Web-based applications with their own organization’s credentials. Federation also works between business units or geographies within an organization.
Federated Authorization and .NET Integration
ADFS provides a rich model for building security tokens. The ADFS security token has the ability to carry data about users besides their identity, including user authorization/entitlement data.
These data, called authorization claims combined with the ability to transport the data securely in a security token, enables a feature called Federated Authorization. Rather than requiring the application administrator to entirely manage how users get access to specific application capabilities, Federated Authorization enables the delegated administration of users’ access rights to trusted directory administratiors.
At the application, ADFS integration with Windows Server technologies like ASP.NET Roles or Windows Authorization Manager (AzMan) provides end-to-end authentication and authorization management capabilities. Authorization Manager is a simple interface to provide application-level access to functionality through administrative mapping of incoming authorization claims to application roles and related application capabilities. Thus Authorization Manager, in combination with ADFS, help to provide a roles-based access control (RBAC) environment for Windows-based internet-facing .NET Web applications.
Extensible architecture
ADFS provides an extensible architecture that supports various security token types, including Security Assertion Markup Language (SAML) 1.1 and Kerberos (as used in Windows Integrated Authentication). ADFS also offers the ability to perform custom claims transformations — for example, adding custom business logic from a database as a variable in an access request. Organizations can use this extensibility to modify ADFS to coexist with their current security infrastructure and business policies.
ADFS provides a solution that is proven to interoperate with other security products that support the Web Services (WS-*) architecture. ADFS does this by employing the federation specification of WS-*, called WS-Federation. WS-Federation makes it possible for environments that do not use the Windows identity model to federate with Windows environments. Many identity management and security software vendors have demonstrated two-way interoperability with ADFS and plan to deliver complementary solutions to ADFS.
The WS-Federation Passive Requestor Profile (WS-F PRP) is an implementation of WS-Federation, which proposes a standard protocol for how passive requestors (such as Web browsers that support the widely used Hypertext Transfer Protocol (HTTP)) apply the federation framework. Within this protocol, Web service requestors are expected to understand the new security mechanisms and be capable of interacting with Web service providers.
Because ADFS is based on the WS-* architecture, it supports federated communications between any WS–enabled endpoints, currently including communications between servers and passive (HTTP/S) clients, such as Web browsers. In the future, ADFS will employ the WS-* architecture to expand its reach to Simple Object Access Protocol (SOAP)–based smart clients, such as servers, mobile phones, personal digital assistants (PDAs), desktop applications, and SOAP-based Web services.
|