Single sign-on: Introduction to Active Directory federated Authentication Service development

This article discusses:

What is federated authentication

Implementing federated authentication in a asp.net application using ADFS

Trust relationships and security considerations

This article uses the following techniques:

ADFS and ASP.net

The Active Directory Federation Service (ADFS) is one of the most important components of Windows server®2003 R2. ADFS can solve many problems, the most obvious is the enterprise to the Enterprise Automation control problem. In this article, I'll analyze ADFS from a developer's perspective, assuming that the developer is building a WEB application and that other organizations will be able to use the program (to understand the analysis of ADFS from an administrator perspective, see the TechNet Magazine Mat T Steele's article).

So, what do I mean by Enterprise to enterprise? Suppose a bicycle manufacturer named Fabrikam wants to publish a WEB application that allows authorized resellers to purchase bicycles and spare parts at wholesale prices through this application. However, there are more than 200 dealers in Fabrikam, and each dealer has several employees who need to use the application. Therefore, Fabrikam must establish a highly secure login mechanism.

The most straightforward solution is to create a database that contains user names and passwords, but the management cost of this approach is very high. If someone calls Fabrikam and claims to be an employee of a dealer, how can Fabrikam verify its authenticity? They may first contact a trustworthy person in the dealer's office to confirm the identity of the employee before starting to set up a new account. Consider the maintenance costs of such user accounts: People may forget their username and password, and of course, other problems may be encountered. What would happen if the employee left the dealer company? Will anyone remember to notify Fabrikam that he should delete his user account (in terms of identity, or cancel the setting)? If not, then the user may use the dealer's identity to take a fake order at home.

There is another problem with the password itself. As computing power continues to grow, it becomes easier to crack passwords, and many organizations today tend to use more powerful authentication techniques, such as smart cards. However, because Fabrikam must face many different dealers, if the use of more powerful authentication technology than the password, then Fabrikam will be overwhelmed.

It is worth noting that trust is also an important factor here. Fabrikam believes that each dealer can provide an accurate list of employees who will be allowed to purchase through Fabrikam WEB applications.