MicrosoftWindows Server 2016Windows Server 2019

What Is ADFS? | How It Works | 5 Best Points To Know

What Is ADFS

What is ADFS: ADFS is a feature which allows user to authenticate on a network to access application and services on another network securely.

For Example, Office 365 enables users to authenticate through on-premises Active Directory Domain Services AD DS.

Then use an account in office 365 without prompting for any further authentication.

Therefore, it provides the Single Sign On (SSO) for both office 365 their corporate computer.

However, office 365 requires both AD FS and Directory synchronization.

So, whenever you implement AD FS

Password management and policies maintain by one premises AD DS  

How AD FS Works

AD FS implements the WS-Federation model.

Therefore, in this model, a service provider (also known as a relying party), is the federation partner that consumes security tokens for users.

The service provider hosts an application that relies on an issuer to provide information about identity.

A second partner in the WS-Federation model is the claims provider.

The claims provider creates security tokens that share it with the service provider to provide access to applications.

In order to establish the connection between two partners.

An administrator needs to configure a federated trust.

However, two partner organizations are bind together with the relationship.

whereas one partner manages the user account that access application and other provides access to the application.

For Example, In a hybrid environment, office 365 with Azure AD provides access to application and user accounts are managed on-premises.

When a user in the claims provider organization tries to access an application hosted by the service provider, AD FS initially verifies the user credentials in AD DS.

After successful authentication by AD DS, the security token service (STS) component of AD FS issues a security token.

The client then contacts the service provider’s federation server.

which then issues a token that authorizes the user to the application or service, such as Office 365.

In this scenario, Office 365 implicitly trusts the token issuer.  

What is ADFS Security Token

The security token contains claims about the user, such as user name, group membership, UPN, email address, manager details, and phone number.

It’s up to the consuming application—such as Office 365—to decide how to use these claims, and to make appropriate authorization decisions.

The application doesn’t make authentication decisions, as these are made by AD DS.

The federation trust between the parties manages through certificates.

While the AD FS server can self-sign the security token signing and encryption certificates.

Typically HTTPS communications between the issuer and the consuming application or service require a public key infrastructure (PKI).  

Architecture Of ADFS

ADFS requires the following components

  • Microsoft SQL Server: It Stores the databases used for AD FS data.
  • Web Application Proxy: It provides external access to AD FS for users and devices outside of the premises network.
  • Federation Server: This server runs the AD FS service and interacts with your AD DS forest and domain infrastructure.

Though all the above components are on your on-premises network.

However, you can host it on an Azure cloud as well as.

Which does not require on-premises infrastructure?

In order to manage traffic, you should implement the load balancer for achieving high availability.

What is ADFS Authentication

There are two authentication methods.

Forms Authentication: 

This authentication method is for resources published outside the corporate network and which are accessible to clients over the internet.

Forms authentication is not enabled by default.

You must enable it in order to also enable certificate authentication—smart card authentication or user client certificate authentication—that integrates with AD DS.

Integrated Windows Authentication:

This is the default authentication method and is for resources that publish inside the corporate network and is accessible from intranet resources only.

Therefore, Integrated Windows authentication is enabled by default.

You also can enable forms authentication or certificate authentication.

Note: Integrated Windows authentication does not support all browsers.

During authentication, AD FS detects the user agent on the user’s browser and determines whether it supports Integrated Windows authentication.

You can use the following Windows PowerShell command to specify alternate user-agent strings for browsers that support Integrated Windows authentication

Set-AdfsProperties –WIASupportedUserAgents

If the client’s user agent doesn’t support Windows authentication.

AD FS uses the default authentication method, which is form authentication.

I hope you get the ADFS overview of what is ADFS

To  know more about what is Microsoft ADFS visit Microsoft Docs Website


Back to top button