Federated Identity and Access are enabled by AD FS. It securely shares digital identity and entitlement rights across enterprise and security boundaries. It also extends the single sign-on capability that is available within a given security or enterprise boundary to applications that face the Internet. This provides partners, customers, and suppliers a streamlined user experience while accessing web-based applications of a company or organization. Authentication is essential for many web applications. In this blog, we will learn what AD FS is and how we enable it.

Solution

Active Directory Federation Service provides a secure, reliable, scalable, and extensible identity federation solution. It is a flexible architecture that supports various client authentication methods such as Kerberos, X.509 and username/password, SAML token types, and many different user identity stores, such as Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This flexibility allows AD FS to co-exist with the existing Windows security and trust infrastructures.

It is a federation service that is a standards-based service. It enables and allows the sharing of identity between trusted business partners across an extranet and, thus, making authentication easy. If a user wants to access a web application from one of the trusted partners, then, the user’s organization is responsible for providing the claims and authenticating the user.

AD FS is an implementation of Microsoft’s WS-Federation Passive Requestor Profile protocol. Here, passive means that a client requires a cookie and a web browser that is Javascript enabled. AD FS is an implementation of the WS-Federation protocol and even the SAML, i.e. Security Assertion Markup Language.

Adfs.msc is an administration tool for AD FS that is a Microsoft Managed Console snap-in, which can be used whenever we want to add account and resource partners, add and configure account stores, map a partner’s claims, and identify and configure federation-aware web applications.

Working off a Federation-Aware Application

A user from one of the partners, known as an account partner, tries to access an application that is AD FS-enabled. The application is hosted by another partner called the resource partner. The request is intercepted by an AD FS web agent that is present on the resource partner’s web server. The web agent checks whether the user has an appropriate AD FS cookie. If yes, the user is given access to the web application. Otherwise, he/she is redirected to the account partner’s federation server.

Here, an important aspect is that the user is authenticated by their organization. After the authentication is complete, the user issues a security token in the form of claims by the account partner’s federation service, and the user is redirected to the AD FS server of the resource partner.

Next, the resource partner finds the security token and checks to see whether it is from an account partner it is trusted by. The trust policy is used by AD FS, mapping the account partner claims that its own web application understands. A second SAML token is issued by AD FS, which contains the resource partners claims. A cookie is written on the user’s machine and the user is redirected back to the web application.

When the cookie is discovered by an AD FS web agent, the SAML token is parsed and access is allowed to the web application. A single sign-on object is instantiated, containing parsed claims from the SAML token. Authorization decisions are made based upon these claims.

Steps to Enable AD FS Authentication

Note: Roles-based access control (RBAC) is provided by Windows Authorization Manager (AzMan).

The steps to enable AD FS authentication are:

1. Making a web application federation aware

    (a) Registration using AD FS web agent

    (b) Writing a custom configuration section/handler

    (c) Adding the custom section

    (d) Put a SingleSignOn assemblies reference

2. Getting a SingleSignOn Object

3. Verification of authentication

4. Using Azman to create a client context

5. Retrieve claims

6. Make some authorization decisions

AD FS can help a user to access a web application from an extranet and get the authentication done by their own organization. This gives power to the user and the access to an application is streamlined.

Conclusion

In this article, we saw what AD FS is and how it helps a user to sign in to an ADFS ASP.NET web application development across the systems working under a group of business partners using same credentials from the active directory. We didn't go through the actual implementation — that will be discussed in our next post!

Enjoy coding!