Overview of AD FS 2.0
Published: October 21, 2010
Updated: July 31, 2012
Applies To: Unified Access Gateway
With Forefront Unified Access Gateway (UAG), you can provide remote and partner employees with access to your published applications using Active Directory Federation Services (AD FS) for authentication and authorization.
This topic describes:
For more information about AD FS, see Active Directory Federation Services Overview.
What is AD FS?
AD FS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless, "one prompt" access to one or more protected Internet-facing applications, even when the user accounts and applications are located in different networks or organizations.
When an application and user accounts are in different networks, it is typical for users to encounter prompts for secondary credentials when they attempt to access the application. These secondary credentials represent the identity of the users in the realm in which the application resides. The web server that hosts the application usually requires these credentials so that it can make the most appropriate authorization decision.
AD FS provides federated trust relationships that you can use to project a user's digital identity and access rights to trusted partners, thus making secondary accounts and their credentials unnecessary. In a federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.
Furthermore, you can deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions between trusted partner organizations. Federated B2B partnerships identify business partners as one of the following types of organization:
Resource organization—Organizations that own and manage resources that are accessible from the Internet can deploy AD FS federation servers and AD FS-enabled web servers that manage access to protected resources for trusted partners. These trusted partners can include external third parties, or other departments or subsidiaries that are in the same organization.
Account organization—Organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users, and create security tokens that federation servers in the resource organization can use later to make authorization decisions.
AD FS 2.0 features
AD FS 2.0 has the following features:
An enterprise claims provider for claims-based applications
AD FS 2.0 includes a federation server that issues tokens that contain claims about authenticated users. Applications that are built on the claims-based identity model have several advantages for information technology (IT) professionals. These applications:
Provide a single-sign-on (SSO) experience across multiple claims-aware applications.
Provide access to a claims-aware application to users in another organization.
Reduce concern about developers of custom applications making processor-intensive authentication requests that unexpectedly burden corporate directory services.
- Provide a single-sign-on (SSO) experience across multiple claims-aware applications.
A federation server for identity federation across domains
AD FS 2.0 provides a federation server that web browser applications can use for federated SSO across domains. This helps reduce administrative overhead, reduce security vulnerabilities due to lost or stolen passwords, and improve user productivity through SSO.
Improved support for federation trusts
AD FS 2.0 has improved support for federation trusts that can speed up the process of establishing the trusts. AD FS 2.0 uses industry-standard metadata formats when it establishes trusts between federation partners. It also makes it possible for partners to establish new trusts quickly by pointing trusted partners to a policy-exposed endpoint URL. This enables you to add trusts quickly and makes certificate management easier between partners because AD FS 2.0 automatically provides the appropriate certificates to the partner when it creates the trust. This also improves the reliability of the trust establishment process by reducing the number of manual steps.