AD Federation Services drives claims-based identity for Windows

Updates to Active Directory Federation Services could bring Microsoft's claims-based identity model to a whole new level.

For many years, IT departments have focused much of their time, energy and budget on striking the right balance between secure access to resources and facilitating legitimate access to those resources when needed. Historically, this task is made easier when an organization relies on just one identity system, such as Microsoft Active Directory, for authenticating users as well as authorizing their access to network resources.

Such homogeneity is a rare thing, however, even within a single organization. This creates challenges in managing user authentication across diverse applications, especially when applications are hard-coded to take advantage of one particular identity source. For example, if a line-of-business (LOB) application is specifically designed to integrate with a particular Active Directory domain, using Kerberos for authentication and authorization, it can be challenging to allow access to this application for partner organizations or customers who do not have user accounts within that domain.

What else is new with AD?

"The more time I spend with Windows Server 2008 R2, the more I appreciate its new features. And that's a poignant statement when you compare this R2 release with that of Windows Server 2003."
-- Greg Shields, Microsoft MVP

Read more: AD in R2 -- Features to care about, others to ignore

The complexity of managing user identities increases exponentially when trying to enable access to resources across organizational boundaries, such as to a business partner or when authenticating to a cloud-based system such as Windows Azure. More and more often, organizations are looking for solutions to allow effective collaboration and easy authentication to other security realms -- regardless of the underlying technologies involved. The general term used for this kind of partnership across security realms is federation.

In order to address these challenges, administrators need to find a way to create a layer of abstraction between an authentication system, such as Active Directory, and an application, such as Microsoft SharePoint. One way of addressing this is through the use of claims-based identity. With this model, user information can be expressed in a consistent format using claims, and then these claims can be transmitted to applications in a standardized format, regardless of how or where the user was authenticated.

Conceptually, the idea of claims is not new. In fact, any of the following could be considered a claim:

  • "This user's UPN is"
  • "This user is a member of the Finance role"
  • "This user is over 18 years of age"

Technically speaking, claims are transmitted using a standard method such as the Security Assertion Markup Language (SAML), so that they will have the same format across a multitude of authentication sources and applications.

For example, a user who was authenticated against an Active Directory domain controller using a username and password would be able to present their claims in the same standard format as a user from a different organization that had authenticated against a UNIX environment using a smart card and PIN. From the application's perspective, the fact that these two users had authenticated against two completely different environments is irrelevant. Each user is presenting the application with claims that utilize the exact same format, which the application can then use to make authorization and personalization decisions.

Beginning with Windows Server 2003 R2, Microsoft has introduced a solution for claims-based identity known as Active Directory Federation Services (ADFS). Microsoft is preparing a significant update to the existing ADFS that consists of two major components:

  1. Active Directory Federation Services 2.0 -- ADFS 2.0 acts as a federation server which can authenticate incoming users and generate claims for those users that can be used to access claims-aware applications. Specifically, an ADFS 2.0 server is a member server within an Active Directory domain. As such, it can authenticate users from Active Directory using any supported authentication method, including usernames and passwords, certificates, and smart cards.

    Once the user has been authenticated, the ADFS server can issue claims for these users that can be sent to another ADFS server, a third-party federation server, or directly to a claims-aware application to be used for authorization. Similarly, an ADFS server can also receive claims from users who have been issued them by other federation servers -- ADFS server or otherwise -- that the ADFS server can process and pass along to other claims-aware services and applications. ADFS 2.0 is currently in the release candidate (RC) stage, and is scheduled to ship in the first half of 2010.

  2. Windows Identity Foundation (WIF) -- This is the developer platform that allows .NET developers (using ASP.NET, WCF, or other development platforms) to create and manage applications that can consume claims generated by any federation server, whether it be an ADFS server or third-party federation server. WIF was released at the Microsoft Professional Developers Conference in November 2009, and is available as a free download from the Microsoft website.

By using a combination of ADFS 2.0 and WIF, administrators and developers can work together to provide user access in a number of different scenarios, including:

  • Single sign-on within an organization – Windows Identity Foundation allows developers to rely on ADFS and other federation servers to remove dependencies on specific authentication methods. This can reduce the number of separate usernames and passwords maintained by users in order to access applications within their organization.
  • Single sign-on across business partnerships – Using ADFS in one or both companies, you can provide Web single sign-on between organizations, where A. Datum users can access Contoso Web resources using their A. Datum credentials, without Contoso needing to create and maintain a second set of credentials or A. Datum users needing to remember yet another username and password.
  • Single sign-on to cloud-based computing – ADFS can allow users within a corporate Active Directory to use their AD credentials to access Software as a Service (SaaS) application providers such as and Google Apps. In the near future, this functionality will be extended to allow federated access to Microsoft Online and Azure-based applications as well.

Laura E. Hunter, the Principal for LHA Consulting, is a six-time recipient of the Microsoft MVP award in Windows Server System - Directory Services, and is a Microsoft Certified Masters in Windows Server 2008 Active Directory. She is also an active technical speaker, author and presenter focusing in the Active Directory, Federated Identity and Identity Management spaces.

Dig Deeper on Microsoft Hyper-V management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.