"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Active Directory Federation Services (ADFS)
Active Directory Federation Services, or ADFS for short, is the new Microsoft Web services technology that allows for companies to pursue Web based transactions with business partners (Business to Business or B2B) securely. When working with other companies you sometimes need to allows clients to access resources in your domain, or vice versa. Because of the nature of the Internet, resource sharing can always be nerve racking - there is more security that needs to be implemented and that technology is called WS-Federation. Most times, making Web transactions can be deemed insecure, and if you need to maintain identity information for outside business partners and customers, ADFS is for you. Integrated tightly with Active Directory, ADFS helps to keep Web transactions secure. A sample B2B connection can be seen in the next illustration.
As you can see from this example, Company A and Company B need to share a resource… Company A’s Intranet server. A computer user in Company B wants to use that resource and under normal circumstances, if they were logged into Company A’s domain, a trust relationship could be used. Also, never forget the question that is most important - how do you do that securely over the public Internet? Active Directory Federation Services (ADFS) provides a secure infrastructure for building a federated identity management solution that can extend your organization’s existing identity management capabilities to the Internet.
ADFS Requirements and Benefits
ADFS requires Active Directory, or more importantly, the user accounts stored in Active Directory. Federation services use these accounts for the B2B authentication. As you can see, ADFS is tightly integrated with Active Directory. ADFS authenticates users against Active Directory and it uses the security tokens that are created by Active Directory. It also uses Windows integration authentication as well. What does ADFS do for you? By deploying ADFS, you can extend Active Directory securely to the Internet. By doing so, you will be able to maintain a secure directory services infrastructure without having to use other sign-on or single sign-on (SSO) providers. You will also be able to allow your clients and customers to use SSO and have a seamless experience by accessing resources enabled via the trust from one organization to the other. So what’s next? Building the federation trust…
Just like any trust relationship in Windows, if set up correctly, you will be able to extend your services to other business partners, allow for authentication to flow and the use of resources seamless. When you deploy ADFS you are essentially deploying a federation server that will control access to your systems based on identification, authentication, and authorization through the federation trust– remember that you are dealing with the public Internet so it’s imperative that you secure and control transmissions across it. You cant tear down your firewall, but you can securely allow transmissions through it, and if those same transmissions were also secure and allowing for simplified access to resources securely over the Internet … ADFS was built to do that. With a federation trust, you can extend Active Directory to allow for the sharing of resources securely in a B2B environment. The next illustration shows what it would look like if you planning and deployed a federation trust from Company A to Company B. The resources are in Company A, and Company B has the clients that want to access the resource.
Now that the trust is planned from the resource domain to the domain where you have your accounts, you can have secure online transactions between Company A and Company B connected by the federation trust relationship. The federation trust between the two federation servers shows the ‘direction’ of the trust which is important. In this illustration, the resource domain trusts the domain where the accounts are based… the user domain. The arrow points to the account side of the trust, away from the resource domain.
Once the federation trust is established, authentication requests that are made to the Intranet server in the resource domain can flow through the federation trust from users who are located in the domain where the accounts are located without issue. Configuration mistakes and setting the trust in the in the wrong direction will keep you from achieving a successful trust relationship.
You can use the Active Directory Federation Services snap-in to configure the federation trust; this will be covered in a future article.
Let’s use this last illustration as a summary of what needs to be planned:
- If you have a B2B connection that you want to use for cross-organization use of resources, and keep your accounts and resources seamless via a trust relationship, because of the nature of the public Internet, you would want to create a secure way to achieve the sharing of these resources
- By deploying federation servers that allow for a trust to cross over firewalls and the public Internet, you can create trusts, share resources and all from the extension of Active Directory’s power and ADFS.
Make sure that you prepare for the federation trust. You have to prepare your network to accept a federated trust so knowing the ports and so on and designing beforehand is essential to ensuring that ADFS will be deployed properly. If one side of a federation trust (either the account partner or the resource partner) is not configured or if it is configured incorrectly by the administrator for either organization, the federation trust cannot be created successfully
As you have seen in the past two illustrations, when deploying ADFS, you will be deploying new federation servers to each site you want to build federation trusts to and from. Plain and simple, federation servers host the Federation Service component of ADFS which is WS-Federation. These servers play a very important role… they route all authentication requests made from users in partner (B2B) organizations across the public Internet, even clients located out on the public Internet. Federation servers will have different roles depending on where they are placed … for example, if you think about Company A and Company B, the resources were in Company A, so that server is going to have a different role simply because its based in the resource domain. The federation server located in the domain with the accounts will have yet another server role. The roles are easy to remember: if you have a federation server in the domain without the resources are used to log on local user accounts in Active Directory. Federation servers in the resource domain validate security tokens that are issued by federation servers in the account domain.
Don’t forget, ADFS is new to R2, so if you want to deploy it, you have to ensure that R2 is properly installed on your Windows Server 2003 systems. To build a federation server, that server would need to be scaled properly. Use the requirements listed in the links section of this article for find out more about R2, and its special requirements. Since ADFS can only operate on R2 based servers, ensure that you first have that configured. Also, there are special requirements in the ‘design’ of federation servers placed on each side of the trust so pay close attention to the design when you decide to roll out ADFS.
The ADFS solution helps administrators deal with federated identity management challenges by making it possible for organizations to securely share a user's identity information over federation trusts. ADFS supports federated identity scenarios that use the Web Services Security (WS-Security) specifications and the core component of federation trusts – WS-Federation. In this article we covered the basics of Active Directory Federation Services (ADFS) new with the release of Windows Server 2003 R2. Please use the resource links to find more information as well as to download and test R2 and federation trusts for yourself so you can see the power that they hold for your organization or that of your clients. Stay tuned for more news about R2 in future articles.
Links and Reference Material
R2 Resource Center
Windows Server 2003 R2 Beta Software
R2 System Requirements