ADFS – What Is It And How Does It Work?
The growing number of different cloud applications and web apps and the associated proliferation of passwords are generating the increased trend towards single sign-on authentication. With Active Directory Federation Services, Microsoft offers a single sign-on solution that enables companies to have a single, centralized login for all access points and areas of application in the company – both internally and externally. You will learn how this works and the advantages and disadvantages of using it in the following blog post.
Companies today use a growing number of different systems, end devices, business applications, web apps and cloud solutions in order to be able to carry out internal business processes. Therefore, employees not only have to remember a wealth of complex login IDs and passwords that meet the requirements for password security, but also have to re-enter them every time when using or switching between applications. However, such a routine is not only time-consuming and user-unfriendly, but also prone to IT security risks.
Active Directory Federation Services?
Microsoft Active Directory Federation Services, ADFS for short or also Active Directory Federation Services, is a Microsoft solution for cross-organizational registration with different third-party systems, web apps and cloud applications, such as Microsoft 365, Office 365, SharePoint or OneDrive via single sign-on.
The Active Directory Federation services from Microsoft use the user administration of the Active Directory to identify and verify the identity of the user. This enables the single sign solution to authenticate employees to external applications using the user names and passwords that are saved in the Active Directory directory service. In this way, the variance surrounding the management of access IDs can be reduced and all possible access IDs required for day-to-day work can be managed in a central location.
In addition, Active Directory Federation Services uses the claims-based authorization model and logon tokens for access control. There is a precise separation between the target applications and administration of the login data. Thanks to the use of tokens, the Active Directory Federation Services do not have to share the access codes with the third-party systems.
At the same time, Microsoft also uses Active Directory Federation Services as a connection to integrate different frameworks such as the Security Assertion Markup Language, or SAML for short. This enables access to cloud-based and web-based applications that are not able to use built-in Windows authentication, or IWA for short, via Active Directory.
Possible Uses For The Active Directory Federation Service!
There are various usage scenarios for MS Active Directory Federation Services. One of the most common scenarios is the connection of web applications with cloud applications such as Microsoft 365, Office 365, SharePoint or OneDrive with Active Directory Federation Services. An example single sign-on with Active Directory Federation Services can look like this:
At the start of work, the employees log on to their Windows domain with a user name and password. Once they need access to about Office365, they need to open the internet browser and visit the front page for the web service. The external provider receives the user information of the employees and their user role or other required data via tokens and claims via the Active Directory Federation Services. The external provider then registers the employees for the application without them having to enter the user name or password themselves. The employees can then use Office365 according to their authorizations.
Active Directory Federation Services: The Opportunities And Risks!
The advantages of Active Directory Federation Services are obvious.
- The employees of a company only need a single access code to authenticate themselves for all required programs and services in everyday business.
- Microsoft’s Active Directory Federation Services can be combined with all external areas that do not use a Windows-based identity model. In combination with a personal Active Directory, there is a huge variety of possible applications.
- The central organization in the Active Directory user administration reduces the complexity surrounding the administration of user IDs and passwords.
- By using the login token, the external providers of cloud services and web apps never gain knowledge of the real user names and passwords. If the cooperation with the provider is terminated, it is sufficient to withdraw the general authorization. Passwords or usernames do not need to be changed or deleted.
However, not all that glitters is gold when using Active Directory Federation Services. The relevant disadvantages include:
- In addition to the specific fees for starting up Microsoft Active Directory Federation Services, companies have to take into account monthly operating costs for administration and maintenance. Depending on how this is configured, Active Directory Federation Services can cost a lot more than you think.
- Overall complexity: The commissioning, configuration and maintenance of the Active Directory federation services is time-consuming and comprehensive. Especially when adding an application to Active Directory Federation Services.
Also Read: 5 Steps To Simplify Cybersecurity