ADFS stands for "Active Directory Federation Services". It is a software component developed by Microsoft that provides single sign-on (SSO) access to web-based applications and other network resources for users who are authenticated in an Active Directory domain. ADFS allows organizations to share digital identities with trusted partners and customers, enabling secure access to shared resources across organizational boundaries.
ADFS works by establishing a trust relationship between the organizations involved in the federation. When a user attempts to access a resource in a trusted organization, the user is redirected to the ADFS server in their own organization, where they are authenticated. A security token is then issued by the ADFS server, which is passed on to the trusted organization's ADFS server. The trusted organization's ADFS server then validates the security token and grants access to the requested resource.
ADFS supports several security token formats, including SAML (Security Assertion Markup Language) and JWT (JSON Web Token), as well as various authentication methods, such as username and password, smart cards, and multi-factor authentication.
Active Directory Federation Services (ADFS) is a Microsoft technology that enables single sign-on (SSO) between different applications and systems, both within and across organizational boundaries. It allows users to access resources and applications using their existing credentials, eliminating the need to remember multiple usernames and passwords. ADFS is an essential component of modern enterprise IT infrastructure, enabling seamless and secure collaboration between organizations and their partners.
The ADFS architecture consists of three main components: the Federation Server, the Federation Proxy Server, and the Claims-aware application. The Federation Server is the central component that manages the authentication and authorization processes. It stores user credentials and verifies them against the Active Directory (AD) domain controllers. The Federation Proxy Server acts as a proxy between the Federation Server and external users, providing secure access to the authentication services over the internet. The Claims-aware application is any application that is integrated with ADFS and supports claims-based authentication.
When a user attempts to access a Claims-aware application, the application sends a request to the Federation Server for authentication. The Federation Server then prompts the user for their credentials, such as their username and password. If the user’s credentials are valid, the Federation Server generates a security token containing the user’s identity information, such as their username, group membership, and other attributes. The security token is signed by the Federation Server using a private key and sent back to the user’s browser.
The user’s browser then sends the security token to the Claims-aware application, which verifies the signature using the Federation Server’s public key. If the signature is valid, the application trusts the identity information contained in the security token and grants the user access to the requested resources. The application can also use the claims in the security token to make authorization decisions, such as determining the user’s role or permissions.
ADFS supports several different authentication protocols, including WS-Federation, SAML, and OAuth. WS-Federation is a Microsoft standard that enables SSO across multiple domains and applications. SAML is an industry-standard protocol that enables SSO between different organizations. OAuth is a protocol for granting delegated access to resources, such as allowing a third-party application to access a user’s data without requiring the user to share their credentials.
ADFS also supports multi-factor authentication (MFA) and conditional access policies, enabling organizations to enforce additional security controls based on user behavior or risk factors. For example, an organization may require MFA for users accessing sensitive data or applications from outside the corporate network.
In summary, ADFS is a key technology for enabling secure and seamless collaboration between organizations and their partners. It allows users to access resources and applications using their existing credentials, reducing the burden of managing multiple usernames and passwords. ADFS uses security tokens to authenticate users and supports several authentication protocols, including WS-Federation, SAML, and OAuth. It also supports MFA and conditional access policies to enforce additional security controls based on user behavior or risk factors. Overall, ADFS is an essential component of modern enterprise IT infrastructure, enabling organizations to work together more efficiently and securely.