Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is Active Directory Federation Services (ADFS) and How Does It Work?

Active Directory Federation Services

Active Directory Federation Services (ADFS) is a software component developed by Microsoft that provides Single Sign-On (SSO) capabilities for users across multiple applications or systems. It enables organizations to extend their authentication and authorization services beyond their corporate network to partner organizations or cloud-based services.

What Is Active Directory Federation Services (ADFS)

Active Directory Federation Services (ADFS) is a Microsoft-developed Single Sign-On (SSO) solution that provides a unified authentication experience to employees, allowing them to access multiple applications using a single set of credentials. Using the claims-based Access Control Authorization model, ADFS ensures security by identifying users through claims related to their identity, packaged into a secure token issued by the identity provider. ADFS grants secure access to domains, devices, web applications, and systems within an organization’s Active Directory and approved third-party systems. Its federated nature centralizes user identity, enabling individuals to access applications within a corporate network and by trusted external sources using existing AD credentials. ADFS facilitates remote access to AD-integrated applications through the cloud, simplifying the user experience while maintaining stringent security policies.

How Active Directory Federation Services Works

ADFS works by authenticating user identities and verifying access privileges. During user identity verification, ADFS relies on information from the company’s data repository to confirm user identities using multiple pieces of information, such as full name, employee number, phone number, employee ID, or email address. This process follows a claims-based authentication model, in which ADFS generates a secure token containing access rights or claims related to each user. When the user attempts to access a system, ADFS checks the request against a list of approved systems and applications. For third-party systems authentication, ADFS uses a proxy service between Active Directory and the external application. This service combines the user identity and claim rule, enabling the user to bypass authenticating their identity with each application directly, a capability known as Federated Trust or “party trust”.

The authentication process typically unfolds in four key steps. Firstly, the user accesses the URL provided by the ADFS service. The ADFS service then authenticates the user through the organization’s AD service. Upon successful authentication, an authentication claim is generated by the ADFS service and delivered to the user. Finally, the user’s browser transmits this claim to the target application, which, based on the established Federated Trust service, grants or denies access accordingly.

As an example, imagine you’re at a store and want to buy something, but you don’t have cash. The cashier asks for a credit card, but you don’t have one from that particular bank. The cashier suggests you go to your bank to get a token that will allow you to pay with your credit card. You go to your bank, and they give you a token. You take the token back to the store and hand it to the cashier. The cashier checks the token and verifies that you have enough money in your account to cover the purchase. The cashier then authorizes the transaction, and you’re able to take your purchase home.

In this example, the website is the cashier, the ADFS server is your bank, and the token is the credit card. The user is you, the customer. Just like the cashier needs to verify that you have enough money to complete the purchase, the website needs to verify that the user has the proper permissions to access the information they are requesting. The token provides a way for the website to verify the user’s identity and permissions.

Components of Active Directory Federation Services

Below are the main components of ADFS:

  1. Entra ID (Azure AD)
  2. Azure AD Connect
  3. ADFS Web Server
  4. Federation Server
  5. Federation Server Proxy

1. Entra ID (Azure AD): Entra ID, previously Azure AD, is Microsoft’s proprietary cloud-based directory service. It offers network administrators the ability to assign and manage account privileges for all network resources. With Entra ID, organizations can efficiently control access to various software applications and data within their network.

2. Azure AD Connect: Azure AD Connect is a module that facilitates the connection between Active Directory and Azure AD. It is commonly used in hybrid deployments, allowing organizations to integrate their on-premises AD infrastructure with the cloud-based Azure AD services. Azure AD Connect ensures a seamless synchronization of user identities and attributes between the two environments.

3. ADFS Web Server: An ADFS Web Server serves as the host for the ADFS Web Agent, which is responsible for managing security tokens and authentication cookies used for authentication purposes. This dedicated server stores and maintains these security tokens, as well as other authentication assets like cookies. The ADFS Web Server plays a crucial role in securely verifying user credentials and granting access to authorized resources.

4. Federation Server: A Federation Server aids in managing federated trusts between business partners. It processes authentication requests from external users and hosts a security token service that issues tokens for claims based on verification of credentials from the Active Directory. This Single Sign-On (SSO) tool facilitates authentication and access services for multiple systems across different enterprises using a common security token based on the hosting organization’s Active Directory.

5. Federation Server Proxy: The Federation Server Proxy acts as a gateway between the organization’s Active Directory and external targets. It coordinates access requests with the Federation Server, which is not exposed directly to the internet to prevent security risks. The Federation Server Proxy is deployed on the organization’s extranet, allowing external clients to connect and request a security token. It forwards these requests to the Federation Server for authentication and authorization purposes.

Advantages of Active Directory Federation Services

ADFS emerged as a solution to address the limitations of Active Directory and Integrated Windows Authentication (IWA) in authenticating users accessing AD-integrated applications. With over 90% of organizations using Active Directory and many adopting ADFS, the benefits for end users include;

Security: ADFS diminishes the reliance on traditional passwords for authentication. By using ADFS, organizations can implement strong authentication mechanisms such as multi-factor authentication (MFA), which significantly reduces the risk of password-related security breaches.

Simplicity: ADFS eliminates the need for users to remember multiple passwords, reducing the risk of forgotten passwords and associated account lockout issues. Additionally, ADFS streamlines the process of deactivating user accounts when employees leave the organization. IT administrators can quickly and easily disable access to all applications and resources associated with a departing employee’s account, ensuring the organization’s security and compliance.

Experience: ADFS provides users with a seamless and hassle-free experience when accessing applications. By eliminating the need for multiple logins and password entries, ADFS enhances user productivity and satisfaction.

Efficiency: ADFS empowers users to transition smoothly between applications and tasks without interruptions caused by password prompts. This fluid movement enhances overall user efficiency and productivity and minimizes the number of IT support requests related to password issues.

Disadvantages of Active Directory Federation Services

Below are some of the disadvantages of ADFS:

Infrastructure Costs: ADFS requires a Windows Server license and a dedicated server. This can result in significant upfront costs, especially for organizations that do not already have a Windows Server environment in place.

Operational and Maintenance Costs: ADFS requires deep technical expertise and support to operate and maintain effectively. This can be a challenge for organizations that do not have the necessary in-house resources. Additionally, ADFS can be complex to configure, deploy, operate, and integrate with other systems, such as Azure AD, which can further increase the costs associated with ADFS.

Additional Limitations: ADFS does not support file sharing between users or groups, print servers, or most remote desktop connections. Additionally, ADFS does not provide access to Active Directory resources, such as group policies or user accounts.

In summary, Active Directory Federation Services (ADFS) acts as a bridge between an organization’s internal network and external resources, seamlessly authenticating users and providing secure access to applications and services hosted on-premises or in the cloud. ADFS enhances security by using industry-standard protocols and strong encryption methods, ensuring that sensitive data remains protected during authentication and authorization processes. By implementing ADFS, organizations can improve their overall security posture while simplifying user access and enhancing the overall user experience.

If you’d like to see how Lepide can help to secure your Active Directory environment, schedule a demo with one of our engineers.