What are Active Directory Federation Services?
Microsoft Active Directory (AD) provides numerous services and functions related to identity and access management (IAM) within an organization’s environment. Federation Services (AD FS) is one of these services, which enables collaboration and identity management between two different organizations.
What is Federation?
Many organizations have relationships with other businesses such as partners or vendors. These relationships may require granting external parties limited access to an organization’s data, systems, and applications.
To do so, these organizations need a means of performing authentication and authorization for these external users. While they could create accounts for these users on their internal IAM system, this is a messy approach and increases the difficulty of tracking external users’ accounts and ensuring that they are terminated when a relationship ends. Additionally, this forces users to maintain multiple sets of login credentials, which increases the risk of weak and reused passwords.
Federation provides a solution to this problem by setting up a trust relationship between two organizations’ identity management systems. With federation, both organizations configure their systems to accept authentication tokens from the other’s identity provider (IdP).
This way, a user can log into their organization’s IAM system with their existing username and password. If they attempt to access a federated application or “service provider” (SP), their IdP will send an authentication token to the SP.
Since the SP is configured to accept authentication tokens from this IdP, it can skip the authentication step and move directly to determining whether the user is authorized to access that resource. If so, it grants access without the user ever needing to maintain or enter a password for the federated application.
How Does AD FS Work?
Active Directory Federation Services is designed to enable single sign-on (SSO) across organizational boundaries. It can set up federated relationships with other enterprise IAM systems, eliminating the need for users of each organization to have unique credentials for each environment.
As a part of Active Directory, AD FS uses the existing credentials that an employee uses within their home organization. This means that organizations using AD can set up federated environments without the need for additional systems and new user accounts and credentials.
AD FS uses a claims-based system for user authentication. The security token sent to an SP will contain claims about the user (identity, group membership, etc.) that the federated application can use to determine whether or not the user should be granted access.
Benefits of AD FS
AD FS provides several benefits to an organization and its user, including the following:
- Cross-Organization SSO: AD FS enables federated relationships between organizations. This makes it easier to set up secure sharing of access to data, applications, and systems across organizational boundaries.
- Improved User Experience: AD FS enables SSO across organizations using existing AD credentials. This enables users to log in once and access all corporate and federated applications.
- Wider Application Support: Some applications are not intrinsically compatible with AD. With AD FS, it’s possible to integrate these applications into an organization’s IAM system by treating them like federated systems.
Active Directory Federation Service enables organizations to extend trust relationships to other organizations via federation. This enables users to authenticate to federated applications via SSO without the need for organization-specific login credentials.