Introduction to ADFS
Updated: August 22, 2005
Applies To: Windows Server 2003 R2
ADFS is a component in Microsoft® Windows Server™ 2003 R2 that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights, or "Claims," across security and enterprise boundaries.
ADFS is not:
A database or repository for employee or customer identity data.
An extension of the Active Directory™ directory service schema.
A type of Windows domain or forest trust.
ADFS in Windows Server 2003 R2 supports the WS-Federation Passive Requestor Profile (WS-F PRP).
Key features of ADFS
The following are some of the key features of ADFS in Windows Server 2003 R2:
Federation and Web SSO
When an organization uses the Active Directory™ directory service, it currently experiences the benefit of SSO functionality through Windows-integrated authentication within the organization's security or enterprise boundaries. ADFS extends this functionality to Internet-facing applications, which enables customers, partners, and suppliers to have a similar, streamlined, Web SSO user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations. For more information about ADFS federation, see Federation scenarios.
Web Services (WS)-* interoperability
ADFS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. ADFS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Windows identity model to federate with Windows environments. For more information about WS-* specifications, see ADFS resources.
ADFS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) token type and Kerberos authentication (in the Federated Web SSO with Forest Trust scenario). ADFS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify ADFS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see Claim mapping.
Extending Active Directory to the Internet
Active Directory serves as a primary identity and authentication service in many organizations. With Windows Server 2003 Active Directory, forest trusts can be created between two or more Windows Server 2003 forests to provide access to resources that are located in different business units or organizations. For more information about forest trusts, see How Domain and Forest Trusts Work on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35356).
However, there are scenarios in which forest trusts are not a viable option. For example, access across organizations may need to be limited to only a small subset of individuals, not every member of a forest.
By employing ADFS, organizations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.
ADFS is tightly integrated with Active Directory. ADFS retrieves user attributes from Active Directory, and it authenticates users against Active Directory. ADFS also uses Windows Integrated Authentication.
ADFS works with both Active Directory and Active Directory Application Mode (ADAM). Specifically, ADFS works with both enterprise-wide deployments of Active Directory or instances of ADAM. When it works with Active Directory, ADFS can take advantage of the strong authentication technologies in Active Directory, including Kerberos, X.509 digital certificates, and smart cards. When it works with ADAM, ADFS uses Lightweight Directory Access Protocol (LDAP) Bind as a means to authenticate users. For more information about how ADFS works with Active Directory and ADAM, see Account stores.
ADFS supports distributed authentication and authorization over the Internet. ADFS can be integrated into an organization's or department’s existing access management solution to translate the terms that are used in the organization into claims that are agreed on as part of a federation. ADFS can create, secure, and verify the claims that move between organizations. It can also audit and monitor the activity between organizations and departments to help ensure secure transactions.