Friday 10 March 2017
What is AD FS in Windows Azure ?
Active Directory Federation Services
This article begins with a brief overview of Active Directory Federation Services (AD FS), a list of the benefits to using AD FS, and a list of what's new in AD FS for Windows Server 2008. The article then focuses on the code that a managed developer must incorporate into a Web application to make it federation-aware and provides some specific examples on making claims based authorization decisions.
Overview
AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.
AD FS is Microsoft's implementation of the WS-Federation Passive Requestor Profile protocol (passive indicates that the client requirements are just a cookie- and JavaScript-enabled Web browser). AD FS implements the standards based WS-Federation protocol and Security Assertion Markup Language (SAML).
The AD FS administration tool (adfs.msc) is supplied as a Microsoft Management Console (MMC) snap-in. The administration tool is used to add account and resource partners, map partner claims, add and configure account stores, and identify and configure federation-aware Web applications.
For in-depth discussions of AD FS, see the following articles:
Major Benefits
The following is a brief list of the major benefits to using AD FS:
- Web single sign on (SSO)AD FS provides Web SSO to federated partners outside your organization, which enables their users to have a SSO experience when they access your organization’s Web-based applications.
- Web Services (WS)-* interoperabilityAD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS follows the WS-Federation specification (for passive clients; that is, browsers), which makes it possible for environments that do not use the Windows identity model to federate with Windows environments.
- Partner user account management not requiredThe federated partner's Identity Provider (IP) sends claims that reflect its users' identity, groups, and attribute data. Therefore, your organization no longer needs to revoke, change, or reset the credentials for the partner's users, since the credentials are managed by the partner organization. Additionally, if a partnership needs to be terminated, it can be performed with a single trust policy change. Without AD FS, individual accounts for each partner user would need to be deactivated.
- Claim mappingClaims are defined in terms that each partner understands and appropriately mapped in the AD FS trust policy for exchange between federation partners.
- Centralized federated partner managementAll federated partner management is performed using the AD FS Microsoft Management Console (MMC) snap-in.
- Extensible architectureAD FS provides an extensible architecture for claim augmentation, for example, adding or modifying claims using custom business logic during claims processing. Organizations can use this extensibility to modify AD FS to finely support their business policies.
New and Improved Features
AD FS was first released in Windows Server 2003 R2. It has been updated with the following new and improved features for Windows Server 2008:
- Improved support for Microsoft Office SharePoint® Services 2007 as a claims-aware application
- Support for Active Directory Rights Management Services (AD RMS)External users attempting to access an organization's protected content are authenticated through AD FS. Once these external users are authenticated, AD RMS policies are enforced, and AD RMS will automatically provide the external user with appropriate content licenses to work with an organization's protected content. Administrators have granular control over how these external users interact with an organization's content and can also define templates to apply to multiple partner relationships. Federated AD RMS in Windows Server 2008 is fully compatible with existing Office SharePoint Server 2007 deployments and fully supports down-level AD RMS clients.
- Group Policy control of AD FS deploymentIn previous versions of AD FS, there was no way to limit who deployed an AD FS server in the enterprise. Administrators now have the ability to control and stage the rollout of AD FS servers by limiting deployment through Group Policy.
- Improved installationAD FS is included as a server role and is installed using Server Manager, which automatically lists and installs all the services required by AD FS during installation. A configuration wizard is available to perform server validation checks during the AD FS installation. This feature not only makes installation easier, but also gives AD FS the same consistent install experience as other Windows components.
- Improved import and export of trust policy during federated trust establishmentThis improvement simplifies the process for bringing federation partners on board.
- Events and Microsoft Operations Manager (MOM) alertsPrevious versions of AD FS lacked the ability to easily determine when certificates were going to expire. New events and MOM alerts allow IT administrators to be proactive instead of reactive in managing the certificates, dramatically reducing the possibility of user impact issues.
- AD FS snap-in control of certificate revocation list (CRL) checkingIn previous versions of AD FS, administrators occasionally had to disable CRL checking because partners issued their own certificates that were chained to an Internet authority, but did not publish their CRLs to the internet. CRL checking had to be disabled by manually modifying the trust policy of an XML file. This procedure was not intuitive, difficult to troubleshoot, and the solution was a medium-high risk operation on the AD FS servers. The AD FS snap-in now allows CRL checking behavior (within the scope of AD FS) to be adjusted or disabled.
Subscribe to:
Posts (Atom)
-
Virtual Memory Management In Linux is Faster than Linux. Linux Provides VM by default at time of booting by allocating some part o...