Embed Size (px)
Citation preview
![Page 1: Active Directory Federation Services · PDF fileActive Directory Federation Services What is Active Directory Federation Services [ADFS]? Active Directory Federation Services is a](https://reader038.pdfslide.us/reader038/viewer/2022100423/5a9db0977f8b9abd0a8c08fa/html5/thumbnails/1.jpg)
Active Directory Federation Services
What is Active Directory Federation Services [ADFS]?
Active Directory Federation Services is a mechanism to provide access to users homed in your Active
Directory forest to Web services located in other Active Directory forests. E.g. Partner organizations,
Office 365 etc.
ADFS provides authorization, authentication and Single Sign-On (SSO) functionality to web applications
and services located virtually anywhere, including perimeter networks, partner organizations & cloud.
Active Directory Trust vs ADFS
Active Directory trust works on Kerberos V5 or NTLM protocol and it provides access to users on
resources located in different domain or forest. The Kerberos or NTLM token is validated for the SPN
(Service Principle Name) before providing access.
ADFS works on protocol called SAML (Security Assertion Markup Language). The Web application
configured for ADFS looks for ADFS cookie, redirects the URL to user’s ADFS server for user validation
and ADFS server generates token/claim upon successful user login, appends it to the URL and sends it
back to the Web Application requested for it. The Web application now sees ADFS cookie and grants
access to the Web application.
The cookie is valid for default 10 hours and can be customized.
Is ADFS safe?
ADFS uses Secure Socket Layer (SSL) between in the entire path of user validation and it completely
secure and recommended.
The user credentials are known only to local ADFS instance of Active Directory server and only the
authorized token is passed along the URL. Because the entire session is SSL based and tokens are
encrypted, entire ADFS flow is secured.
What are other options?
DirSync feature of Microsoft allows passwords to sync between client’s Active Directory forest and
Office 365. However, this lets password store outside your environment and it could be harmful if there
is any security breach on the external network.
Third-party Solution may be used from IBM, CA, NetIQ etc. if already present in the Infrastructure or
they provide any additional feature that organization must need. Otherwise, it is recommended to use
ADFS in a new environment so that it gets support from single vendor i.e. Microsoft and eases trouble
shooting. ADFS is a free feature of Windows Operating System and easy to deploy.
![[MS-ADFSOAL]: Active Directory Federation Services OAuth ...... · The Active Directory Federation Services OAuth Authcode Lookup Protocol is defined as a RESTful protocol API. In](https://img.pdfslide.us/doc/110x75/5e855a9e3d369572391827f6/ms-adfsoal-active-directory-federation-services-oauth-the-active-directory.jpg)
![[MS-ADFSOAL]: Active Directory Federation Services OAuth Authorization ... · The Active Directory Federation Services OAuth Authcode Lookup Protocol is defined as a RESTful protocol](https://img.pdfslide.us/doc/110x75/5e83072973cd3d78f33e1259/ms-adfsoal-active-directory-federation-services-oauth-authorization-the-active.jpg)
![[MS-ADFSOAL-Diff]: Active Directory Federation Services](https://img.pdfslide.us/doc/110x75/617003096c9abb10067eefaa/ms-adfsoal-diff-active-directory-federation-services-.jpg)
![[MS-ADFSPIP]: Active Directory Federation Services and ...€¦ · Active Directory Federation Services and Proxy Integration Protocol](https://img.pdfslide.us/doc/110x75/6149079f9241b00fbd674b87/ms-adfspip-active-directory-federation-services-and-active-directory-federation.jpg)