Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

What is Active Directory Federation Services (ADFS): A simple overview

Active Directory Federation Services (ADFS) is a technology created by Microsoft that allows users to sign on to different applications with single sign-on (SSO). SSO allows a user to log in with a single ID and password to several applications across organizational boundaries. An authentication token is created, and is passed to different applications for seamless logins. Within these tokens are claims about the identity of the user. Therefore, while SSO is the process of authenticating across applications, ADFS is the technology that enables it.

ADFS is usually installed as a component (or role) in a domain controller (DC) running a Windows Server operating system. To do this:

  • Launch Server Manager in your Windows operating system.
  • Navigate to Add Roles and Features -> Server Installation -> Server Roles -> Select Active Directory Federation Services.
  • Time Deleted - Time of deletion.
  • Complete the process of adding this new role.

The challenges in a world without ADFS

Web-based applications are the norm everywhere now. Users of these applications can range from a company's own employees, and a third-party's (e.g. a supplier or partner) employees. Thus, there has to be a way to authenticate both internal and external users. ADFS is concerned with the latter.

In a world without ADFS, a user account and credentials will need to be created for external users within the organization's AD forest. However, this will have two main limitations in the long run:

  • External users will have to remember a new password, and the organization's IT team has to support password management activities such as account lockouts and password resets for these users. This increases the burden on the organization's IT team.
  • The organization has to set policies for user account creation, deletion, and modification for external users. User lifecycle management will be complex for these users.

To overcome these limitations, an organization could create a forest level trust between itself and the third-party organization. However, this can lead to privacy issues.

The best solution to this would be to use ADFS. With ADFS, an external user can use their local logon credentials to access authorized resources in their own environment, and then access external resources in another environment, with a single authentication. A trust relationship (or federation) is created between the two environments. The organization to which an external user belongs is called an account organization, and the organization which contains the resource or application that needs to be accessed by the user is called a resource organization.

How does ADFS work: The ADFS architecture

The ADFS architecture is depicted in the diagram below:
Here are the steps of authenticating a user from an account environment in the resource environment using ADFS:
  • A user from the account environment attempts to access a particular web application in the resource environment.
  • The user is redirected to the resource ADFS server, which determines if the user is from a trusted account environment. If this is true, the user gets an authentication token from the resource ADFS server.
  • The resource ADFS server requests the user to obtain a security token from the account ADFS server.
  • The user presents the authentication token to the account ADFS server.
  • The account ADFS server now authenticates the user with the use of AD DS or AD LDS. If this is successful, the account AD FS server pulls the associated claims about the user and packages it within a security token.
  • The user is now redirected to the resource ADFS server where the claims about the user are examined. The claims are used to ascertain the unique identity of the user and determine if the user can get access to the web application.
  • If the claims-check is successful, a new security token is given to the user. This is stored as an authentication cookie on the user's computer.
  • The user presents the authentication cookie to the web application and gets successfully logged in.

Auditing ADFS with ADAudit Plus

ADAudit Plus is a comprehensive Active Directory auditing solution that can monitor and track all successful and unsuccessful ADFS authentications. Furthermore, it can also track extranet lockouts which, to put it simply, are lockouts that happen when authenticating external users.

To access information about ADFS in ADAudit Plus:
  • Open the web console of ADAudit Plus.
  • Navigate to Server Audit -> ADFS Auditing
Three reports are available:
  • Logon Success
  • Extranet Lockout
  • Logon Failure. As an example, here's a sample Logon Success report.
The information included in this report includes, but is not limited to:
  • The username of the user who successfully logged on.
  • The logon time and date.
  • The federation server which was used to log on.
  • The IP address of the user who logged on.
  • A check whether the user logged on from inside the corporate network.
  • The Relying Party or the application that the user accessed.
  • The caller identity.
  • The issued claims.
Going into caller identity gives more information about the user as the example below shows:

Going into issues claims gives information about the claims that were actually used to authenticate the user. Here's a sample screenshot that gives this information:

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can also track ADFS logon successes, ADFS logon failures, and extranet lockouts with ADAudit Plus. In total, the solution has 200+ reports and real-time alerts to keep your network environment secure. To learn more, visit https://www.manageengine.com/active-directory-audit/.

Is managing ADFS activities of users proving to be complicated? Simplify this by getting your hands on ADAudit Plus

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free
 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote