AD FS explained
What is AD FS
Active Directory Federation Services (AD FS) is the claim-based single sign-on (SSO) solution provided by Microsoft. It facilitates access to all integrated applications and systems with just your Active Directory (AD) credentials. To use AD FS, run it on Windows Server after installing the role in Server Manager. It is part of AD services.
Components of AD FS
The basic components of AD FS are:
- User accountA user can access resources or applications only through the user account. This is a part of the domain.
- AD FS serverThis is our star of the show. It can be installed as a role in a Windows Server machine that is joined to the domain.
- Target application or resourceThis can be an application server, web resource, or cloud resource that has a claims-aware authentication system and a federated trust relation
with AD FS.
How AD FS works
AD FS plays the middleman between the target application or resource and AD to provide authenticated access to users.
Note: It is compulsory for the target application or resource to have Federated Trust relation with AD FS to enable SSO through AD FS.
- A user asks to log in to the target application or resource.
- The user is redirected to the AD FS login page. The user enters their username and password here.
- AD FS verifies the given credentials in AD, and if successful, AD issues an authentication claim, which is handed to the user along with the redirection link to the target application or resource. The claim does not contain the username or password. It has other personal attributes like the last name, first name, email address, etc.
- The target application or resource accepts this claim and logs the user in.
Why use AD FS?
- For usersThey only need to remember one set of credentials to access multiple resources.
- For applicationsEliminates the need to store and secure usernames and passwords in a separate database.
- For security Reduces the attack surface, as the authenticated access to many applications is unified into one login.
Limitations and disadvantages of AD FS
- Hidden costs
- Security concerns
- Complex procedures
The process of establishing a trust relationship and thus implementing SSO is not an easy one. It differs from one application to another, and the primitive UI of AD FS does not help. If you don't have a technician with deep knowledge about all the involved technologies, you will have to hire an expert exclusively for this, which adds to both security concerns and costs.
Although AD FS is a free tool, it requires the purchase of a Windows Server license. Also, the AD FS server and trust certificates need to be maintained by expert technicians, which further escalates costs. Apart from this, there is also the cost of maintaining and backing up the servers.
Given the improving technologies used by hackers to break into IT systems, AD FS needs added security layers. Also, the machine hosting this server role has to be well protected.
How ADSelfService can save the day
ADSelfService Plus is an integrated Active Directory single sign-on and self-service password management solution. It supports single sign-on for over a hundred pre-integrated enterprise applications and other custom applications.
ADSelfService Plus SSO configuration is user-friendly and quick. It can support SSO for any application that is SAML-based.
ADSelfService Plus can be installed in any Windows machine that is part of an AD domain and hosted on the internet. This reduces hardware and licensing costs phenomenally. Since it's a web app, it can be accessed anytime, anywhere without compromising security. The ADSelfService Plus web portal logon and integrated application logons can be configured to require advanced multi-factor authentication like biometrics and YubiKey authenticator.
The annual subscription cost of ADSelfService Plus is only a small fraction of the amount required to set up a full fledged SSO system using AD FS. We also offer a free version for small businesses with 50 users or less.
Other features ADSelfService Plus offers:
- Self-service password managementEnable users to reset forgotten passwords and unlock their accounts without involving the help desk, anytime, anywhere.
- Multi-factor authenticationSecure machine logon, application logon, and VPN logon with over 15 authentication methods that can be configured in minutes.
- Password synchronizer Sync the Windows Active Directory user password across various platforms automatically, eliminating password fatigue.
- Password policy enforcerAllow only strong passwords that are equipped to fight dictionary attacks, brute-force attacks, and other password threats.
- Directory self-update Allow users to update personal information in Active Directory, freeing the help desk from this repetitive task.