Active Directory Federation Services 2.0: Open Doors to the Cloud
The new Microsoft Active Directory Federation Services promises to greatly increase cloud security.
Microsoft’s Active Directory Federation Services (AD FS) 2.0 promises to simplify secure authentication to multiple systems. It will also do the same for the cloud-based Microsoft portfolio. In addition, the extended interoperability of AD FS 2.0 is expected to offer the same secure authentication to other cloud providers, who already support standard protocols, such as Amazon.com Inc., Google Inc. and Salesforce.com Inc.
AD FS 2.0, formerly known as “Geneva Server,” was released in May. This is the long-awaited extension to Microsoft Active Directory that provides interoperable claims-based federated identity management. By adding AD FS 2.0 to an existing AD deployment, IT can allow individuals to log in once to Active Directory and then use their credentials to sign into any other claims-aware systems or applications.
“The bottom line is we’re streamlining how access should work and how things like single sign-on should work from on-premises to the cloud,” says John “J.G.” Chirapurath, senior director in the Microsoft Identity and Security Business Group.
Unlike the first release, AD FS 2.0 supports the widely implemented Security Assertion Markup Language (SAML) 2.0 standard. Many third-party cloud services use SAML 2.0-based authentication; it’s the key component in providing interoperability with other applications and cloud services.
“We look at federation and claims-based authentication and authorization as really critical components to the success and adoption of cloud-based services,” says Kevin von Keyserling, president and CEO of Independence, Ohio-based Certified Security Solutions Inc. (CSS), a systems integrator and Microsoft Gold Certified Partner.
While AD FS 2.0 won’t necessarily address all of the security issues that surround the movement of traditional systems and data to the cloud, by all accounts it removes a key barrier—especially for applications such as SharePoint, and certainly for the gamut of applications. Many enterprises have expressed reluctance to use cloud services, such as Windows Azure, because of security concerns and the lack of control over authentication.
“Security [issues], particularly identity and the management of those identities, are perhaps the single biggest blockers in achieving that nirvana of cloud computing,” Chirapurath says. “Just like e-mail led to the explosive use of Active Directory, Active Directory Federation Services will do the same for the cloud.”
Because AD FS 2.0 can easily be integrated into applications running in Windows Azure, organizations can use claims-based digital tokens, that will work with both Windows Server 2008 and the cloud-based Microsoft services, enabling hybrid cloud networks. The aim is to let a user authenticate seamlessly into Windows Server or Windows Azure and share those credentials with applications that can accept a SAML 2.0-based token.
Developers can also make their .NET applications identity-aware with Microsoft Windows Identity Foundation (WIF).
WIF provides the underlying framework of the Microsoft claims-based Identity Model. Implemented in the Microsoft .NET Framework, apps developed with WIF present authentication schema, such as identification attributes, roles, groups and policies, along with a means of managing those claims. Applications built by enterprise developers and ISVs based on WIF will also be able to accept these claims.
Pass-through federated authentication in AD FS 2.0 is enabled by accepting tokens based on both the Web Services Federation (WSFED), WS-Trust and SAML standards. While Microsoft has long promoted WSFED, it only agreed to support the more widely adopted SAML spec 18 months ago.
Take It to the Bank
Danny Kim, CTO of Boston-based Microsoft Gold Certified Partner FullArmor Corp., who has stress-tested AD FS 2.0, says he already has major clients that want to use it to deploy systems into the cloud.
“AD FS 2.0 does the linking of identities back to our server space and our cloud-based services, and we have one version that works across all of those environments,” Kim says.
One major investment bank in New York is among those that want to roll it out right away to allow users to authenticate against applications hosted on the FullArmor Windows Azure-based systems, according to Kim.
“This is a security-conscious company that has said, ‘Unless security is guaranteed, we’re not going to deploy these services in the cloud,’” Kim says. At the same time, Kim adds, the bank wants to ultimately stop buying and running servers as soon as it’s safe to move to the cloud. AD FS 2.0 maps the user’s token into AD, which is passed through to other AD FS 2.0-enabled systems, Kim explains.
Just as important, Microsoft officials say, is the fact that Microsoft can now also pass those claims through to any SAML-based system. Microsoft went through interoperability testing with other vendors through the Liberty Alliance, a standards organization that oversees identity-management specifications.
“We and a bunch of vendors got together … and they tested out SAML protocol implementation, and they found it to be conformant across a whole bevy of test cases,” said Matt Steele, senior program manager on the AD FS team at Microsoft, speaking on a Microsoft Channel 9 Video after the AD FS release candidate was posted. “That means we can advertise, like we’ve always wanted to, that AD FS 2.0 implements the SAML protocol and we’re interoperable with all these vendors across all these test cases.”
Will Implementations Match Tests?
Still, some argue that Microsoft may be over-promising. For example, it remains to be seen how compatible SAML tokens are with those provided by other vendors’ platforms, says Patrick Harding, CTO of Ping Identity Corp., which provides its own single sign-on server that works across multiple platforms.
“We’ve been doing SAML for about four years,” says Harding, whose company is both a Microsoft competitor and partner. “We know full well that SAML in the lab and SAML in the real world can be very, very different, especially when you get a lot of SaaS [Software as a Service] vendors who choose to write their own SAML implementations—and there are always nuances with those.”
Harding also wonders how quickly the .NET development community will embrace WIF. “While it’s a good idea, WIF does require developers to learn from the ground up a brand-new paradigm and a brand-new development framework for how they need to integrate their apps into AD FS,” Harding says.
However, Kim disagrees. “For developers who are familiar with the .NET environment, I don’t think there’s a significantly high learning curve,” he says.
Quest develops familiar development tools, also to reduce the small learning curve. As a bonus, says Sotnikov, “Some tools and cloud platforms don’t really allow us to reuse our existing C++ and C# code, but this solution did—up to 50 percent of existing code.”
Those issues aside, Harding acknowledges that the release of AD FS 2.0 will likely pave the way for new cloud-computing initiatives. “AD FS 2.0 is a big deal because it validates that federated identity management is important; it’s going to become a must-have for cloud computing and SaaS computing,” he says. “All boats rise with Microsoft, and this is going to make people comfortable with the fact that federation is real.”
Not in the Cards
Just days prior to the release of AD FS 2.0, Microsoft put on hold the next version of its CardSpace identity selector for Information Cards, called CardSpace 2.0, which was to provide a common UI for managing multiple log-ins. CardSpace 2.0, which had been in beta since last year, works with AD FS 2.0 and WIF. To provide a bridge for CardSpace 2.0 beta evaluators, Microsoft recently released a community technology preview (CTP) of an add-on to AD FS 2.0 that will enable Windows Server to issue Information Cards.
“There’s a lot going on in the Information Card space, especially when you consider cryptographic technologies like U-Prove, which we rolled out at the RSA conference,” says Joel Sider, a senior product manager in the Forefront security group at Microsoft. “There are also new standards like OpenID. We want to address some of the new trends.”
That raises the question: Is CardSpace 2.0 going to see the light of day? “There’s certainly support for Information Cards; our involvement in Information Cards is alive and well,” Sider says. Microsoft is not saying when it will update its CardSpace 2.0 plans, but some are wondering whether the technology has a future.
The uncertain fate of CardSpace 2.0 is “no surprise given its limited adoption,” according to Harding. “Unfortunately, it has also really upset all of those people and companies that have bought into the InfoCard model at the urging of Microsoft.”
But the shift in plan became somewhat inevitable in early March this year when Scott Charney, Microsoft corporate vice president of Trustworthy Computing, launched the CTP of the company’s U-Prove technology at the annual RSA Conference in San Francisco. The U-Prove product centers on the issuance of digital tokens, which allow users to control how much information is shared with the recipient of the tokens.
Used against AD FS 2.0, U-Prove lets users federate identities across trusted domains. Microsoft released U-Prove under its Open Specification Promise (OSP) and also donated two reference toolkits for implementing the algorithms under the FreeBSD License. Moreover, Microsoft released a second specification under its OSP for integrating U-Prove into open-source identity selectors. How that will play out, in terms of whether the .NET and open source communities embrace U-Prove, remains to be seen.
Numerous Windows IT pros and security experts seem bullish on AD FS 2.0. Von Keyserling, of CSS, is among those who believe that AD FS 2.0 will play a key role in providing improved cloud security.
“We’ve been working with very large global enterprises and helping them build federation models that make it an easier transition into the cloud-computing environment,” von Keyserling says. “It extends the ability to help manage identity across organizations that are separate identities.”
For example, according to von Keyserling, if CSS and a client wanted to collaborate on a system that was hosted either locally, through a shared server pool, or in the cloud, the two organizations could actually federate their services together, making it easier for both to manage their own employees’ identities.
“Using your existing identity infrastructure and applying that up into the cloud, hosted by Microsoft or through hosted SharePoint, certainly identity is at the center of security in our view, and it’s certainly a very key consideration for cloud security overall,” he adds.
Chirapurath says that’s a key focus within Microsoft. “When you think about identity, it’s really the keys to the store because an identity says who you are and what you can do,” he says. “A lot of times, the challenges to cloud computing are in the realm of identity. What AD FS allows you to do is share those on-premises identities with the cloud; it can be Windows Azure or any other cloud that supports SAML or [the WS standards], so you can leverage your existing investments in on-premises Active Directory and make those identities work in your cloud-computing efforts.”
AD FS 2.0 Implementation
Microsoft says AD FS 2.0 can be implemented atop AD without any schema extensions being necessary. It needs to be installed on Windows Server 2008 or 2008 R2.
Microsoft is also hoping that Windows shops will adopt the new, Forefront Identity Manager (FIM) 2010 platform, released in March. FIM is a repository that manages identities, access rights and credentials, as well as policies associated with them. It also allows IT managers to administer identities through a SharePoint-based admin console.
There are many issues related to cloud security that could be showstoppers for deploying applications in the cloud. Compliance, data integrity and understanding the implications of multi-tenancy are among a few.
When it comes to identity management, however, Microsoft and others have made key strides in bolstering the infrastructure to pass through common identities—but work still remains on the client side. Nonetheless, with AD FS 2.0, enterprises that are considering using cloud services can benefit from adding the free upgrade to Windows Server.
“The end user can have the same experience in the cloud as if they were inside their own network; that’s one of the advantages or drivers for these large enterprises looking at taking up the Federation Services and extending it,” von Keyserling says. “It provides cloud services without having to stop and deal with password resets and credential management, and allows [companies] to focus on the execution of their business strategy versus the day-to-day nuances of dealing with security issues.”
Sidebar: Key Identifiers
- Active Directory Federation Services (AD FS) 2.0: An extension to Active Directory that promises to allow claims-based federated identity management seamlessly through
- Windows Server, Windows Azure and other cloud services and applications.
- SAML 2.0: The widely supported XML standard for exchanging identity information between security domains is now in AD FS 2.0.
- WSFED: WS-Federation is the core specification that AD FS was originally built upon. As SAML became the de facto standard, Microsoft added support for that spec in the new release.
- Windows Identity Foundation (WIF): WIF provides the underlying framework of the Microsoft claims-based Identity Model. Implemented in the .Net Framework, apps present authentication schema such as identification attributes, roles, groups and policies, as well as a means of managing those claims. WIF-based apps built by enterprise developers and ISVs will be able to accept these claims.
- CardSpace v1: A component in the Microsoft .NET Framework that provides the identity selectors that are native in Windows 7 and Windows Vista.
- U-Prove: This centers on the issuance of digital tokens that allow users to control how much information is shared with the recipient of the token. Used against AD FS 2.0, U-Prove lets users federate identities across trusted domains. A community technology preview was released in March.
- OpenID: The de facto standard for providing an identifier, supported by Microsoft, Google Inc., Yahoo! Inc., VeriSign Inc. and a number of key blogging and social networking sites.