The most compelling new feature of Windows Server 2003 R2 is the Active Directory Federation Service (ADFS). ADFS is a new technology that can be used for multiple Web application user authentication during one session. In this article, I will explain the important features of ADFS and the working principle of ADFS.
What is ADFS?
ADFS extends the Active Directory to the Internet. To understand this, you can consider the working principle of the general Active Directory facility. When the user is authenticated through the Active Directory, the domain controller checks the user's certificate. Once proven to be a legitimate user, users are free to access any of the authorized resources of the Windows network without having to authenticate each time they visit a different server.
ADFS applies the same concept to the Internet. We all know that Web applications access back-end data that is located on SQL Server or other type of back-end resources. Security authentication for back-end resources is often more complex. There are a number of different authentication methods available to provide such authentication. For example, a user might implement a proprietary authentication mechanism through a RADIUS (remote dial-in User Service authentication) server or as part of the application code.
These authentication mechanisms can achieve the authentication function, but there are some deficiencies. One of the drawbacks is account management. Account management is not a big problem when applications are accessed only by our own employees. However, if your vendors and customers use the application, you suddenly find that you need to create new user accounts for employees in other businesses. The second problem is maintenance. When employees from other enterprises leave and hire new employees, you need to delete the old accounts and create new ones. Passwords are also a problem. Once the application configuration is complete, you will continue to modify the password for those who do not even work for your company.
What can ADFS do for you?
What happens if you transfer your account management tasks to your customers, vendors, or other people who use your Web application? Imagine, if you do, that Web applications provide services to other businesses, and you no longer have to create user accounts or reset passwords for those employees. If this is not enough, users who use this application no longer need to log in to the application. Does that sound too good to be true?
With technology you can create trust across forests and extend this trust to Web applications. For example, suppose your vendor needs access to your Web application. Instead of creating and maintaining a series of user accounts for your vendor, you can create security groups in your Active Directory. Maintain all users who need access to your Web application through a group. You can then simply grant permissions to the group. Even if a group exists in a forest that is completely different from your Web application, it can be implemented. This way, when users on the vendor network want to access your Web application, they do not need to log on, and the application automatically completes the user authentication through group membership.
Of course, this is just one example of how you build a joint trust. Windows Server 2003 R2 has not been officially released, and there is not much information available about the ADFS configuration process. The actual configuration process may be slightly different from the one mentioned above, but the rationale is unchanged.
What does ADFS need?
Of course, the Active Directory Federation Service requires some other configuration to use, and you need some servers to perform these functions. The most basic is the federation server, which runs ADFS's federated service components on the federated server. The primary role of a federated server is to send requests from different external users, and it is also responsible for issuing tokens to authenticated users.
Also, in most cases, a federated agent is required. Imagine that if the external network is to be able to establish a joint agreement with your internal network, this means that your federated server will be able to access it over the Internet. But Active Directory unions are not very dependent on the Active Directory, so exposing federated servers directly to the Internet poses a significant risk. Because of this, federated servers are not directly connected to the Internet, but are accessed through federated proxies. The Federated agent Relays federated requests from outside to the federated server, and the federated server is not exposed directly to the outside.
The main component of another ADFS is the ADFS Web Proxy. Web applications must have a mechanism for authenticating external users. These mechanisms are ADFS web proxies. ADFS Web Proxy manages security tokens and authenticates cookies to Web servers.
As noted above, ADFS will greatly expand the capabilities of Web applications. It remains to be seen that R2 's release and ADFS are used in practical applications.