Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 25, 2005

ADFS Architecture


A Web Exclusive from Windows IT Pro
John Savill
Feature
InstantDoc #48252
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints
Or get the Monthly Online Pass—only $5.95 a month!
Main Article    R2 Moves Windows Server 2003 Forward

Download the Code Here

ADFS Architecture
The core architecture of Active Directory Federation Services (ADFS) requires an Active Directory (AD) or Active Directory Application Mode (ADAM) instance that contains user credentials. ADFS doesn't replace the existing account repository; rather, it extends the repository's visibility to other organizations in a highly controller manner. ADFS is a security token service that's used mainly to compile statements about the user account in the form of security tokens, For custom applications, ADFS also populates claims, which are statements about the security principal (e.g., username, user's title), that the Web application uses to ascertain the level of access that should be given to the requesting user.

ADFS also manages the federation trusts it shares with other organizations' federated services. A federation trust isn't an AD forest trust; rather, it's a special trust that uses certificates for token signing between organizations. The trusting forest can't use the federation trust to query information about accounts in the account forest. The only information the trust ever sees is when specific users attempt to access Web services in its forest, and then it sees only account information designated as appropriate for that relationship. Federated-services servers in different organizations never communicate with each other; all communication occurs via the requesting client, which means the ports that have to be open for a typical domain trust aren't required for a federated trust. Creation of the federated trust is all done out-of-band with only the signing certificate for the account side of the trust required at both ends, which can be sent via an email or burned to media and sent via carrier. All communication from the client is via HTTP Secure (HTTPS, port 443).

The next component of ADFS is the Federation Server Proxy (FSP), which is essentially what Web-based servers communicate with and also provides a user interface for the benefit of the Web-based clients. Because of the FSP UI, clients don't have to communicate with the ADFS (i.e., federated services) server directly. Communication can occur via an ADFS proxy, which could reside in a demilitarized zone (DMZ) along with the Web application servers. By default, FSP is installed on all federated services. However, you can install it without the ADFS component to provide only the credential-collection facility and communicate back to the federated-services server. This would be useful in the DMZ situation in which you don't want your entire federated-services server on an extranet.

The last ADFS component is an ADFS Web agent that runs on the Web server. The Web agent helps enforce user authentication, creates the relevant user-authorization context, enables integration with Authorization Manager, enables support for Windows NT impersonation and various ASP.NET authentications, and enables support for the role-checking function.

The following steps outline a sample scenario in which a federated-services server authenticates a user. The diagram that Web Figure A shows illustrates these steps.

  1. The user in the account forest tries to access a Web server in another organization's forest that's connected to the account forest via a federated trust. The ADFS Web agent on the Web server checks for the user's security token, which doesn't exist yet.
  2. Because the user has no security token, ADFS doesn't give the user access to the application and redirects the user to the federated-services server in the resource forest.
  3. The resource forest federated-services server performs a home realm discovery , by which the server determines the user's home forest either by prompting the user (via a Web page that displays a drop-down list of all the forests that the federated-services server trusts) or by inspecting a persistent cookie (which the resource federated-services server places on the client after the first successful communication).
  4. After it has identified the requesting user's home forest, the resource federated-services server redirects the user to his or her local federated-services server to continue processing.
  5. Authentication then occurs with the user's local federation service, which in turn authenticates via AD and pulls from AD information pertinent to the token that ADFS will create for transmission to the resource forest currently attempting access. (The home-forest federated-services server might designate different information for the different resource forests that trust the account federation.)
  6. The local federated-services server then issues the client a token specifically for the resource forest and redirects the user to the federated-services server in the resource forest.
  7. The resource federated-services server checks the passed token, confirms that it's been digitally signed with the correct certificate, and creates its own local token for the user to use when communicating with the Web application. The resource federated-services server then redirects the user to the Web application server. (This process works similarly to referral tickets in a multiple-domain forest.)
  8. The Web application checks the passed token. This is a Security Assertion Markup Language (SAML) 1.1 token, an industry-standard format. The Web application reads the SAML token and allows authorization to the application and its content depending on the access limitations specified in the token.

This federated capability allows a user's AD-based credential to be used in cross-organizational trusts with partner companies. The bottom line of ADFS is that only one user account is required to sign on to multiple systems, which greatly improves accessibility of information and data security. For example, imagine a typical situation in which a user has 10 different accounts to access Web-based data in partner companies—or even in one's own company. Why synchronize if you can federate? Should the user leave the company, in a federated-services environment disabling access for the user's single account terminates all access for that user.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

How can I uninstall the Microsoft Java Virtual Machine (JVM) from Windows XP?

...

What service packs and fixes are available?

...
Active Directory (AD) Whitepapers An Introduction to Windows Server 2008 Server Manager

Get More from Active Directory—Easily Audit Changes, and Secure and Restore Objects

User Provisioning: Get the Most Bang for your IT Buck
Related Events Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

A Guide to Group Policy

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Critical Challenges of ESI & Email Retention
Are you storing too much electronic information? Get expert legal advice and better understanding of what you are required to do as an IT professional.

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Sustainable Compliance: Are You Having a Resource Crisis?
Read this white paper to examine trends in compliance and security management and review approaches to reducing the cost and operational burden of compliance.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Windows IT Pro Home Register About Us Affiliates / Licensing Media Kit Contact Us/Customer Service  
SQL Connected Home IT Library SuperSite FAQ Wininfo News
Europe Edition Office & SharePoint Pro Windows Dev Pro Windows Excavator 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing