What is Active Directory Federation Services (ADFS) and How Does It Work?

What is Active Directory Federation Services (ADFS)?

Active Directory Federation Services (ADFS) is a Microsoft-developed Single Sign-On (SSO) solution that provides a unified authentication experience to employees, allowing them to access multiple applications using a single set of credentials. Using the claims-based Access Control Authorization model, ADFS ensures security by identifying users through claims related to their identity, packaged into a secure token issued by the identity provider. ADFS grants secure access to domains, devices, web applications, and systems within an organization’s Active Directory and approved third-party systems. Its federated nature centralizes user identity, enabling individuals to access applications within a corporate network and by trusted external sources using existing AD credentials. ADFS facilitates remote access to AD-integrated applications through the cloud, simplifying the user experience while maintaining stringent security policies.

What does Active Directory Federation Services do?

Active Directory Federation Services refers to a Windows Server operating system feature that provides Single Sign-On (SSO) capabilities that allow users to authenticate themselves in many web apps across several businesses using a single plan.

Key Functions of ADFS:

1. Single Sign-On (SSO) Across Organizations: A technique called SSO is used to authenticate users and allow them to access multiple applications using a single set of credentials. Active Directory Federation Services (ADFS) eliminates the need for users to repeatedly log in by enabling them to access multiple apps across many companies. To put it another way, ADFS enables users to access resources or apps located in many networks or organizations using SSO.
2. Identity Management: In general, when a user wishes to view an application or resource in another network, they need to establish their identity once more by submitting some secondary credentials. The secondary credentials would be employed to indicate the user’s identity in the network that contains the requested application or resource. AD FS creates trust relationships (federations) between organizations so that users from one organization can access resources in a second organization without having to use different credentials.
3. Claim- Based Authentication: The method that determines how apps obtain user identity information is known as claim-based authentication. Data like the user’s name, email address, group affiliation, etc., may be included in claims. Claim-based authentication is used by ADFS in place of traditional username/password authentication. It entails providing an application with a token that contains assertions about the user’s identity in order to provide access.
4. Active Directory Integration: The technology known as Active Directory Federation Services (ADFS) allows you to extend your Active Directory configuration to services outside of your infrastructure. Since ADFS relies on AD as its identity provider, it leverages AD for user authentication and permission. Through a safe, centralized approach, it enables users to access apps (both on-premises and in the cloud) using their existing AD credentials

How Active Directory Federation Services Works?

Here’s a step-by-step breakdown of how ADFS operates:

1. User Initiates Access: ADFS SSO leverages information found in the company’s data repository to confirm the user’s identity using two or more pieces of information, such as the user’s full name, employee number, phone number, employee ID or email address. A user initiates access to a web application that is configured to use AD FS for authentication. This application does not handle authentication directly but relies on AD FS to authenticate users.
2. Application Request Token: Upon successful authentication, AD FS generates a security token containing a set of claims about the user. These claims might include the user’s name, email address, group memberships, and other relevant attributes. The token is digitally signed to ensure its integrity and authenticity.
3. User Receiving Token: The user’s browser receives the token and automatically posts it to the application. This process is typically seamless to the user and involves the browser submitting the token to the application’s designated endpoint.
4. Server Request Authentication: The application validates the received token, checking the digital signature and ensuring the claims meet its access requirements. ADFS uses claim-based authentication, which verifies users by drawing from a set of “claims” about their identity from a trusted token. This gives users a single SSO prompt that allows them to access multiple applications and systems on different networks.
5. Issue of Token: The application validates the received token, checking the digital signature and ensuring the claims meet its access requirements. If the token is valid and the user is authorized, the application grants access to the requested resources.
6. Cross-Organizational Access: AD FS supports federated identity scenarios, allowing users from one organization to access resources in another without needing separate credentials. The other organization issues its own token that allows local servers to accept the claimed identity. It can now provide controlled access to internet-connected resources without requiring users to authenticate directly to each application individually.
7. Single Sign-On Experience: Users using AD FS benefit from Single Sign-On features. If the applications are part of the federated trust, users can utilize several applications across domains after completing the first authentication process without having to log in again.

Components of Active Directory Federation Services

Below are the main components of ADFS:

1. Entra ID (Azure AD)
2. Azure AD Connect
3. ADFS Web Server
4. Federation Server
5. Federation Server Proxy

1. Entra ID (Azure AD): Entra ID, previously Azure AD, is Microsoft’s proprietary cloud-based directory service. It offers network administrators the ability to assign and manage account privileges for all network resources. With Entra ID, organizations can efficiently control access to various software applications and data within their network.

2. Azure AD Connect: Azure AD Connect is a module that facilitates the connection between Active Directory and Azure AD. It is commonly used in hybrid deployments, allowing organizations to integrate their on-premises AD infrastructure with the cloud-based Azure AD services. Azure AD Connect ensures a seamless synchronization of user identities and attributes between the two environments.

3. ADFS Web Server: An ADFS Web Server serves as the host for the ADFS Web Agent, which is responsible for managing security tokens and authentication cookies used for authentication purposes. This dedicated server stores and maintains these security tokens, as well as other authentication assets like cookies. The ADFS Web Server plays a crucial role in securely verifying user credentials and granting access to authorized resources.

4. Federation Server: A Federation Server aids in managing federated trusts between business partners. It processes authentication requests from external users and hosts a security token service that issues tokens for claims based on verification of credentials from the Active Directory. This Single Sign-On (SSO) tool facilitates authentication and access services for multiple systems across different enterprises using a common security token based on the hosting organization’s Active Directory.

5. Federation Server Proxy: The Federation Server Proxy acts as a gateway between the organization’s Active Directory and external targets. It coordinates access requests with the Federation Server, which is not exposed directly to the internet to prevent security risks. The Federation Server Proxy is deployed on the organization’s extranet, allowing external clients to connect and request a security token. It forwards these requests to the Federation Server for authentication and authorization purposes.

Why Do Organizations Use ADFS?

Employing ADFS provides some significant advantages which will be elaborated below:

1. Enhanced Security: It is regarded as the most significant advantage of utilizing ADFS. The claims-based authentication minimizes the need to move sensitive user information across networks, protecting user credentials and access rights. As access to multiple applications or resources is consolidated into a single login, it minimizes the attack surface exponentially, thereby improving the cybersecurity stance of organizations.
2. Improved User Experience: The user experience for the organizations has been given the greatest importance. The single sign-on authentication makes users’ access easier, and there is no need to enter multiple sets of credentials and navigate across platforms easily. The users need to remember only one set of credentials to enter different applications or resources. This prevents users from encountering password fatigue, which is caused by the large number of passwords users tend to keep.
3. Simplified Identity Management: ADFS enables organizations to handle user identities and access rights across various domains and organizations more effectively. With this, adding or deleting a user account can be controlled easily within the network or across third-party applications. Also, ADFS does away with the need to store and maintain multiple user credentials in the database.
4. Resolved Third Party Authentication: With ADFS the third-party issues were streamlined and resolved, enabling the organizations to control access to resources more effectively in a changing workplace. With ADFS, the users were authenticated to all the authorized third-party systems and applications once they logged in using their Windows Credentials.
5. Increased Productivity: ADFS offered easy-to-use solutions for authenticating users using digital identities in the directory of the organization. This enabled the employees, particularly the developers, to have more time to concentrate on high-impact production activities. Moreover, it provided transparent visibility to system administrators regarding the digital identities of users since ADFS allowed them those rights.
6. Easy Deactivation: ADFS facilitates the simple and efficient deactivation of all associated services and assets upon an employee’s departure. Rather than de-credentialing each account individually, which is time consuming and prone to mistakes, IT can deactivate the user and associated claims in the ADFS.

Disadvantages of Active Directory Federation Services

Below are some of the disadvantages of ADFS:

Infrastructure Costs: ADFS requires a Windows Server license and a dedicated server. This can result in significant upfront costs, especially for organizations that do not already have a Windows Server environment in place.

Operational and Maintenance Costs: ADFS requires deep technical expertise and support to operate and maintain effectively. This can be a challenge for organizations that do not have the necessary in-house resources. Additionally, ADFS can be complex to configure, deploy, operate, and integrate with other systems, such as Azure AD, which can further increase the costs associated with ADFS.

Additional Limitations: ADFS does not support file sharing between users or groups, print servers, or most remote desktop connections. Additionally, ADFS does not provide access to Active Directory resources, such as group policies or user accounts.