When Microsoft first introduced the ADFS in Windows Server 2003 R2, the feature didn't receive much fanfare. It...
was one of those features that sounded good in theory, but was a bit ahead of its time.
Microsoft included Active Directory Federation Service with Windows Server 2008 and Windows 2008 R2 and even offers a 2.0 version for download. However, no one seems to be using ADFS in a production environment. That may be about to change.
ADFS provides a means for managing online identities and providing single sign-on capabilities. This is becoming increasingly important because of the transition being made from running applications on premise to running applications in the cloud.
When applications are run on premise, all of the applications are typically installed directly on a user's desktop, on a terminal server, or on an application server. In any of these cases, rights to the application can be granted to Active Directory objects (such as users and groups). Once users log into Active Directory they are recognized throughout the forest regardless of which servers they are connecting to to access applications and other resources.
Although this access control model has been used for well over a decade, it starts breaking down when cloud-hosted applications enter the picture. For example, when a user logs into their computer in the morning, they are logging into an Active Directory domain. This establishes the identity that they will use when accessing resources throughout the organization.
However, if one opens Netflix from a browser, it won't recognize the user. The site, while technically a cloud application, doesn't care that a user logged into an Active Directory domain. Netflix manages their own user account information, so people have to provide a set of credentials specifically for that site.
The act of logging into Netflix does more than just confirm that I am a paid subscriber. As such it is necessary for every user to have unique credentials, because like any other application, Netflix maintains personalized settings such as billing information and movie queues. For instance, even though a user might only have a single Netflix subscription, each person in the family could have their own separate login so they can manage their own movie queue.
With that in mind, the same concept can be applied to a corporate environment. More and more organizations are beginning to run applications in the cloud. And, just like Netflix, most of these applications require a unique set of credentials even though remembering a Netflix password is simple, the concept really doesn't scale well in corporate environments.
There are several reasons why cloud based identity management is such a big challenge. First, each cloud based application is likely hosted with a different provider. For example, in addition to having a Netflix account, a user could also have an Amazon account. The two have nothing to do with each other; they require two different sets of credentials. Imagine how this same concept could play out in a corporate environment. If an organization subscribes to 20 hosted applications, then users could have 20 separate sets of credentials to remember, which can be a logistical nightmare for both the administrative staff and for the support staff.
The administrative staff is faced with the burden of setting up all those accounts, and the support staff is faced with the daunting task of managing password resets. It is no longer enough for a user to call and say they need their password reset. Now, they have to specify which application they are having trouble accessing and the helpdesk has to reset the password for that application.
It is these types of logistical challenges that should lead to ADFS becoming more widely adopted. Right now Microsoft is leading the way by using ADFS for customers who want to move some network services to Office 365.
Office 365 consists of Microsoft Exchange, SharePoint, and Lync. These applications all require an Active Directory environment, but one can’t just join the Office 365 servers to the domain. Instead, use ADFS to set up directory synchronization.
Because the Office 365 applications require an Active Directory environment, Microsoft creates a dedicated domain for your Office 365 subscription. The directory synchronization process automatically creates accounts in Microsoft’s domain that match the accounts that exist within the on-premise forest (users can choose which accounts they want to synchronize). Of course there are still passwords associated with the synchronized accounts, and this is where ADFS comes into play.
When a user attempts to access Office 365, ADFS submits a claim to Microsoft's servers. This claim includes identity information for the user. Microsoft's server validates the claim as authentic and then extracts the account information. The user is then automatically logged into their account within the Microsoft domain and given access to the requested application. The whole process happens without the user having to do anything other than log into the on-premise forest in the usual way.
ADFS addresses the challenges of cloud-based identity management. Right now, not all cloud application providers support ADFS. However, as more organizations adopt Office 365 it will only be a matter of time before ADFS becomes the standard mechanism for linking corporations to hosted Web applications.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. You can visit Brien's personal website at www.brienposey.com.