vijayjain347

A topnotch WordPress.com site

Active Directory Federation Services Overview

Leave a comment

AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.

In Windows Server® 2012 R2, AD FS includes a federation service role service that acts as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (consumes tokens from other identity providers and then provides security tokens to applications that trust AD FS).

The function of providing extranet access to applications and services that are secured by AD FS is now performed by a new Remote Access role service called Web Application Proxy. This is a departure from the prior versions of Windows Server in which this function was handled by an AD FS federation server proxy. Web Application Proxy is a server role designed to provide access for the AD FS-related extranet scenario and other extranet scenarios.

 

Practical applications

AD FS simplifies access to systems and applications by using a claims-based authentication and access authorization mechanism to maintain application security. Prior versions of AD FS were used for the following:

  • Providing your employees or customers with a web-based, SSO experience when accessing claims-based applications within your enterprise.
  • Providing your employees or customers with a web-based, SSO experience to access resources in any federation partner organization.
  • Providing your employees or customers with a Web-based, SSO experience when remote accessing internally hosted Web sites or services.
  • Providing your employees or customers with a web-based, SSO experience when accessing resources or services in the cloud.

AD FS in Windows Server® 2012 R2 adds additional practical applications for AD FS, including the following:

AD FS in Windows Server 2012

For Windows Server 2012, the AD FS server role includes the same functionality and feature set that is available in AD FS 2.0. It also includes the following list of new functionality that was not available in AD FS 2.0:

  • Improved installation experience using Server Manager – With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure. However, in Windows Server 2012, you install the AD FS server role using Server Manager. Server Manager provides improved AD FS configuration wizard pages that perform server validation checks before you continue with the AD FS server role installation and will automatically list and install all the services that AD FS depends on during the AD FS server role installation.
  • Additional Windows PowerShell cmdlet tools – In addition to the Windows PowerShell based management capabilities provided in AD FS 2.0, AD FS in Windows Server 2012 and Windows Server® 2012 R2, includes new cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy.

AD FS in Windows Server 2012 R2

The following sections summarize numerous changes that were made to AD FS in Windows Server® 2012 R2 in order to support newer practical applications of AD FS as well as to enhance existing functionality.

Enable users to access resources on their personal devices from anywhere

  • Workplace join that enables users to join their personal devices to corporate Active Directory and as a result gain access and seamless experiences when accessing corporate resources from these devices.
  • Pre-authentication of resources inside the corporate network that are protected by the Web Application proxy and accessed from the internet.
  • Password change to enable users to change their password from any workplace joined device when their password has expired so that they can continue to access resources.

Enhanced access control risk management tools

Managing risk is an important aspect of governance and compliance in every IT organization. There are numerous access control risk management enhancements in AD FS in Windows Server® 2012 R2, including the following:

  • Flexible controls based on network location to govern how a user authenticates to access an AD FS-secured application.
  • Flexible policy to determine if a user needs to perform multi-factor authentication based on the user’s data, device data, and network location.
  • Per-application control to ignore SSO and force the user to provide credentials every time they access a sensitive application.
  • Flexible per-application access policy based on user data, device data, or network location.
  • AD FS Extranet Lockout, which enables administrators to protect Active Directory accounts from brute force attacks from the internet.
  • Access revocation for any workplace joined device that is disabled or deleted in Active Directory.

 

Simplified deployment experience

Deploying AD FS in Windows Server® 2012 R2 is simplified by the following enhancements:

  • AD FS is no longer dependent on IIS. This offers enhanced performance and reduces the foot print of services, especially when AD FS is installed on Active Directory domain controllers.
  • Remote installation and configuration through Server Manager. 
  • UI support for installing AD FS with SQL Server
  • Group Managed Service Account support. This enables AD FS to be run with service accounts without managing expiring service account passwords.
  • SQL Server merge replication support when deploying AD FS across globally dispersed datacenters. 

Enhanced sign-in with AD FS experience

The following are new AD FS capabilities in Windows Server® 2012 R2 that enable administrator to customize and enhance the sign-in experience:

  • Unified customization of the AD FS service, where the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm. 
  • Updated sign-in pages that look modern and cater to different form factors automatically.
  • Support for automatic fallback to forms-based authentication for devices that are not joined to the corporate domain but are still used generate access requests from within the corporate network (intranet).
  • Simple controls to customize the company logo, illustration image, standard links for IT support, home page, privacy, etc. 
  • Customization of description messages in the sign-in pages.
  • Customization of web themes.
  • Home Realm Discovery (HRD) based on organizational suffix of the user for enhanced privacy of a company’s partners.
  • HRD filtering on a per-application basis to automatically pick a realm based on the application.
  • One-click error reporting for easier IT troubleshooting.
  • Customizable error messages. 
  • User authentication choice when more than one authentication provider is available.

Enable developers to build modern applications

ADFS in Windows Server 2012 now supports the OAuth Authorization Grant profile with support for refresh tokens to enable modern applications that use RESTful services. ADFS also supports issuing JWT tokens that are compact tokens that are more amenable to transmit to the resources that use the REST pattern.

Other improvements

  • Reduction of SSO cookie size with dynamic group SID hydration. This provides a more deterministic cookie size and reduces bloat when a user belongs to many security groups.
  • Access to claims that are encoded within user certificates when using certificate authentication. This can help administrators differentiate access based on what type of certificate is used.
  • Consistent client-request-id that is logged in all event logs and traces for easier troubleshooting.
  • Additional request claims, for example, IP addresses, endpoint addresses, or user agents that can be used to base policy decisions on.
  • Password expiry notification as claims that an administrator can configure to send to downstream applications to notify the user when their password is about to expire.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s