Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 2006

Identity Federation with ADFS

Extend the reach of your AD and Web-based applications to users in other organizations
From the November 2006 Edition
of Windows IT Pro
Jan De Clercq
Feature
InstantDoc #93453
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Identity Federation Standards

ADFS Architecture
ADFS leverages other Microsoft identity management building blocks such as Active Directory (AD) and Active Directory Application Mode (ADAM) and integrates tightly with Microsoft IIS. Figure 1 shows the core components in a simple ADFS deployment: federation servers, which run the ADFS Federation Service component; an ADFS Web Agent; and an AD or ADAM repository. In Figure 1, the ADFS infrastructure enables browser users from the identity provider to access a Web application running on an IIS server located at the resource provider. The browser users leverage the AD account defined by their identity provider.

ADFS provides tools based on X.509 certificates to establish a trust relationship between the identity provider and resource provider and to securely exchange data between them. ADFS trust relationships are one-way. In Figure 1, the resource provider trusts the identity provider. The trust relationship is also nontransitive, meaning that just because A trusts B and B trusts C, A does not automatically trust C.

The most important components of an ADFS implementation are the federation servers on the identity provider and the resource provider:

  • The federation server on the identity provider uses AD or ADAM to authenticate-users. When user authentication is successful, the identity provider federation server generates authentication cookies and security tokens. These security tokens contain claims about a user. Typical claim examples are a user's name, group memberships, and email address. The identity provider federation server signs the security tokens to protect them from tampering.
  • The federation server on the resource provider verifies the authentication cookies and security tokens it receives from users that attempt to access its Web application. The federation server also translates the cookies and tokens into a format that the Web application can understand and forwards them to the Web application.

How authentication cookies and security tokens are exchanged between the identity and resource provider federation servers is explained in the next section.

ADFS Web Agents enable IIS-hosted Web applications to participate in an ADFS federation. ADFS Web Agents know how to interact with federation servers and how to deal with ADFS authentication cookies and security tokens.

An existing Web application might require code changes to become ADFSenabled, which basically means that the application can consume the claims in the ADFS security tokens (i.e., use them for user authorization decisions). To enable a Web application for ADFS, you can use the Authorization Manager engine (which you can configure from the Microsoft Management Console Authorization Manager snapin) or one of the ASP.NET APIs (IsInRole or raw claims). For an introduction to Authorization Manager, have a look at "Role-Based Access Control," June 2003, InstantDoc ID 38775. One application that works with ADFS without coding changes is Microsoft SharePoint Portal Server.

ADFS Operation
Figure 2 illustrates the ADFS messages exchanged between the key ADFS entities. Remember that in this example, ADFS enables a browser user defined at the identity provider to access a Web application on the resource provider. The following ADFS-related messages will be exchanged:

  • Step 1: A browser user defined at the identity provider attempts to access a Web server application hosted at the resource provider.
  • Step 2: The ADFS Web Agent detects that the user hasn't been authenticated by ADFS and refers him or her to the resource provider's federation server.
  • Step 3: During this step, known as home realm discovery, the browser user provides his or her home domain information to the resource provider's federation server. The home domain is the place where the user's identity is defined and maintained—in other words, the user's identity provider. The first time the user connects to the Web application, the user provides information such as the name of his or her identity provider or email address. In subsequent requests, the resource provider's federation server finds this information in a cookie that's forwarded by the user.
  • Step 4: Based on the information provided during home realm discovery, the resource provider federation server redirects the browser user to the user's identity provider federation server for authentication.
  • Step 5: The browser user authenticates to his or her identity provider federation server by using his or her AD account and associated credentials.
  • Step 6: The identity provider federation server validates the user credentials against AD. If authentication is successful, the identity provider federation server generates an authentication cookie and ADFS security token.
  • Step 7: The identity provider federation server redirects the browser user together with the security token and authentication cookie to the resource provider federation server.
  • Step 8: The resource provider federation server transforms the claims in the security token into a set of claims that can be understood by the Web application hosted at the resource provider and embeds them in a new security token. This process is known as claim transformation. The federation server also generates a new authentication cookie and then redirects the browser user (together with the new security token and authentication cookie) to the Web application's ADFS Web Agent. The ADFS Web Agent then validates the authentication cookie and extracts the claims from the security token and passes them to the Web application.
  • Step 9: The Web application interprets the claims for authorization purposes and returns the appropriate Web content to the browser user.

ADFS for Web SSO
ADFS is a Web SSO solution that lets enterprises extend the reach of their AD and Web-based applications to other organizations. Windows 2003 users looking for a Web SSO solution should have a look at ADFS. Agreed, ADFS doesn't come with some of the advanced features of pure-play Web SSO solutions such as CA's eTrust SiteMinder or HP's OpenView Select Access, and it might require more development and integration time on the Web application side, but it comes for free with Windows 2003 R2 and integrates well with Microsoft's IIS Web server and SharePoint Portal Server.

To be successful, ADFS must enable AD and IIS Web applications to interoperate with non-Microsoft identity and resource providers. Several software vendors have already jumped on the ADFS bandwagon and brought out or promised to bring out ADFS-compliant solutions that extend the reach of ADFS to non-Microsoft-centric environments. Good examples are the solutions from Centrify and Quest Software that can be used to extend ADFS Web SSO to non-IIS-based Web servers such as Apache Tomcat and IBM WebSphere. Microsoft has also demonstrated ADFS interoperability with identity management products from IBM, CA, Oracle, BMC Software, Ping Identity, and RSA Security.

A good start for learning more about ADFS is Microsoft's ADFS overview white paper, which you can download at http://www.microsoft.com/windowsserver2003/r2/identity_management/adfswhitepaper.mspx.

End of Article

   Previous  1  [2]  Next  


Reader Comments
The link to figure 2 (http://www.windowsitpro.com/Files/93453/Figure_02.gif) shows only half of the diagram.
FYI,
bp

bpage November 29, 2006 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Learning Path To learn more about Web SSO and other authentication methods:
"Authentication Options"

"Overview of Active Directory Federation Services (ADFS) in Windows Server 2003 R2"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance

Solving Desktop Management Challenges in Education
Related Events Troubleshooting Active Directory

Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Introduction to Identity Lifecycle Manager "2"

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement