Microsoft’s Active Directory Federation Services (ADFS) based on SAML v2.0 standard and provides claims-based single sign-on experiences across applications and platforms. Through its ability to authenticate against a company’s Active Directory Domain Services, it makes it easy for users to log on once, and not worry about signing into all the different programs and services that support and configured to use SAML authentication. This now includes cloud services too.
ADFS is a standard feature of Windows Server 2012, and its importance will only increase as organizations will keep adding new SaaS providers to help them with specific business functions. CMS CEO Brian Bourne actually calls ADFS out as “Top 5 Projects that should be on every IT Infrastructure Managers Checklist in 2014” in his year-end article at ITBusiness.ca.
Probably most well know example is using ADFS, for Office 365 where users can use their corporate credentials. Moreover corporate credentials can be used in any following sign-in scenarios: a work computer on corporate network; roaming with a work computer; and through a public or home computer. With the most recent updates for mobile device management with Windows Server 2012 single sign-on scenarios can even include mobile devices. Just imagine: you don’t need to create or configure account for corporate email or web service, all you need is to authorize your device once and get access to all corporate applications!
Virtually any cloud service that supports SAML type authentication can be included into ADSF based sign-in process. For example, if a corporation is using Gmail as its email tool, and wants to give users single sign-on experience, ADFS can provide integrated access. Google account and corporate user may not have any common username, password or authentication database, but leveraging ADFS in this scenario, Google will check and validate the claim constructed by ADFS, and grant access to the Gmail mailbox.
Given the key role ADFS plays in authentication and authorization part of hybrid scenarios, its high availability is absolutely essential. If your organization is moving to Office 365 and you only have one ADFS, you will not be able to access any cloud based services when ADFS is down.
As a major piece of authentication process your ADFS server must be protected from outside access. The general rule of thumb: treat your ADFS server the same way as domain controllers. This can be achieved by different ways, but one of the best ones is by using ADFS proxy server – a special ADFS role created for external access scenarios. In the case of a successful attack against an ADFS proxy server in perimeter network, an attacker takes over a stand-alone server that doesn’t have any valuable information and is not involved into the authentication process.
One aspect to keep in mind is the user experience with ADFS and Office 365. Single sign-on for Office 365 works seamlessly for SharePoint, Lync (with installation of single-sign on assistant), and Office products – except Outlook. Microsoft may integrate Outlook in the future too, but for now, users of Outlook with Office 365 will always see a separate authentication box at least once.