DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. How to Enable AD FS Authentication

How to Enable AD FS Authentication

Want to learn more about the AD FS and how to enable AD FS authentication? Check out this tutorial to learn more!

samual alister user avatar by
samual alister
·
Jul. 17, 18 · Tutorial
Like (2)
Save
Tweet
Share
6.64K Views

Join the DZone community and get the full member experience.

Join For Free

Federated Identity and Access are enabled by AD FS. It securely shares digital identity and entitlement rights across enterprise and security boundaries. It also extends the single sign-on capability that is available within a given security or enterprise boundary to applications that face the Internet. This provides partners, customers, and suppliers a streamlined user experience while accessing web-based applications of a company or organization. Authentication is essential for many web applications. In this blog, we will learn what AD FS is and how we enable it.

Solution

Active Directory Federation Service provides a secure, reliable, scalable, and extensible identity federation solution. It is a flexible architecture that supports various client authentication methods such as Kerberos, X.509 and username/password, SAML token types, and many different user identity stores, such as Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This flexibility allows AD FS to co-exist with the existing Windows security and trust infrastructures.

It is a federation service that is a standards-based service. It enables and allows the sharing of identity between trusted business partners across an extranet and, thus, making authentication easy. If a user wants to access a web application from one of the trusted partners, then, the user’s organization is responsible for providing the claims and authenticating the user.

AD FS is an implementation of Microsoft’s WS-Federation Passive Requestor Profile protocol. Here, passive means that a client requires a cookie and a web browser that is Javascript enabled. AD FS is an implementation of the WS-Federation protocol and even the SAML, i.e. Security Assertion Markup Language.

Adfs.msc is an administration tool for AD FS that is a Microsoft Managed Console snap-in, which can be used whenever we want to add account and resource partners, add and configure account stores, map a partner’s claims, and identify and configure federation-aware web applications.


Working off a Federation-Aware Application

A user from one of the partners, known as an account partner, tries to access an application that is AD FS-enabled. The application is hosted by another partner called the resource partner. The request is intercepted by an AD FS web agent that is present on the resource partner’s web server. The web agent checks whether the user has an appropriate AD FS cookie. If yes, the user is given access to the web application. Otherwise, he/she is redirected to the account partner’s federation server.

Here, an important aspect is that the user is authenticated by their organization. After the authentication is complete, the user issues a security token in the form of claims by the account partner’s federation service, and the user is redirected to the AD FS server of the resource partner.

Next, the resource partner finds the security token and checks to see whether it is from an account partner it is trusted by. The trust policy is used by AD FS, mapping the account partner claims that its own web application understands. A second SAML token is issued by AD FS, which contains the resource partners claims. A cookie is written on the user’s machine and the user is redirected back to the web application.

When the cookie is discovered by an AD FS web agent, the SAML token is parsed and access is allowed to the web application. A single sign-on object is instantiated, containing parsed claims from the SAML token. Authorization decisions are made based upon these claims.

Steps to Enable AD FS Authentication

Note: Roles-based access control (RBAC) is provided by Windows Authorization Manager (AzMan).

The steps to enable AD FS authentication are:

1. Making a web application federation aware

    (a) Registration using AD FS web agent

    (b) Writing a custom configuration section/handler

    (c) Adding the custom section

    (d) Put a SingleSignOn assemblies reference

2. Getting a SingleSignOn Object

3. Verification of authentication

4. Using Azman to create a client context

5. Retrieve claims

6. Make some authorization decisions

AD FS can help a user to access a web application from an extranet and get the authentication done by their own organization. This gives power to the user and the access to an application is streamlined.

Conclusion

In this article, we saw what AD FS is and how it helps a user to sign in to an ADFS ASP.NET web application development across the systems working under a group of business partners using same credentials from the active directory. We didn't go through the actual implementation — that will be discussed in our next post!

Enjoy coding!

Forward secrecy ADS (motorcycle) authentication application Web Service Web application security

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • The Importance of Delegation in Management Teams
  • Beginners’ Guide to Run a Linux Server Securely
  • Why Open Source Is Much More Than Just a Free Tier
  • Kotlin Is More Fun Than Java And This Is a Big Deal

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: