The Secret Security Wiki

Categories

Home > Wikis > Federation and SSO > Active Directory Federation Services

Categories

Active Directory Federation Services

Active Directory Federation Services (AD FS) is a component of Active Directory (AD), an identity directory service for users, computers, and applications that is developed and marketed by Microsoft for use on Windows domains. AD FS
provides AD users with the ability to access off-domain resources (i.e. web-based services or another domain) using their AD domain credentials. AD FS uses the concept of identity federation to allow users on one domain to access another domain without needing to authenticate separately to the other domain.

To enable identity federation, a trust relationship is established between two domains – the one where AD FS is running and an external resource/domain. Once trust is established, AD FS can provide attestations about the authenticated identities of users to the external domain instead of requiring users to authenticate separately.

  • Is AD FS an identity provider?

    AD FS is the component of Active Directory responsible for identity federation. It is not an identity provider per se; it works with other components in AD that provide identity services.

  • What is AD RMS?

    Active Directory Rights Management Services (AD RMS) is an information rights management system designed to control access and permissions to documents such as corporate e-mails, Microsoft Word documents, and web pages. Control is achieved by encrypting the document/content and requiring the user to seek permissions and the decryption key from AD RMS.

  • What is Identity federation?

    Identity federation is when two independently managed domains establish trust amongst themselves, to allow the identity providing system of one domain to attest to the other that it had successfully authenticated the identity of a user and the second domain accepting this attestation in lieu of performing its own authentication.

  • What is AD FS SSO?

    AD FS allows a user to authenticate in one domain and get access to another domain without any additional authentication, which creates a single sign-on (SSO) effect.

  • Is AD FS the same as SAML?

    AD FS uses security assertion mark-up language (SAML) to provide attestations to other domains that the user’s identity has been authenticated.

  • What is Microsoft information rights management (IRM)?

    Information Rights Management (IRM) is a component in Microsoft Sharepoint and Exchange that helps prevent sensitive information from being printed, forwarded, saved, edited, or copied by unauthorized people.
    IRM uses Active Directory Rights Management Services to manage access and permissions to protected content.

  • What is the purpose of Active Directory Domain Services?

    Active Directory Domain Services (AD DS), also known as the domain controller, stores all the user and computer information for members of a Windows domain network, verifies their credentials and defines their access rights. When a user wants to log on to an AD managed computer, access the domain network or any resource on the domain network, the domain controller is contacted to verify the user’s credentials and access permissions.

  • Does ADFS use LDAP, what are the difference between the two?

    LDAP:

    • Communicates using TCP/UDP on port 389 (or port 636 for LDAPS)
    • Contains commands for searching/retrieving/adding/deleting/modifying users, profiles and other directory entries
    • Can not be performed directly by a web browser, however HTTP authentication can be translated to LDAP using things like Apache’s mod_authnz_ldap.
    • When used for third-party website authentication, requires that username & password are provided to the third-party, which is not ideal for security.
    • Is more of an open standard and has numerous Linux implementations.

    ADFS:

    • Better designed for the web as it communicates over standard HTTPS
    • Follows a safer process similar (but not exact) to OAuth where the original username/password are provided directly to the organization’s ADFS server (or a proxy, but not the third-party), which if valid, returns a unique token that can be used to access a third-party website.
    • Although it does use make use of some open standards (HTTPS, SAML etc.) it is Microsoft-specific and requires Internet Information Services (IIS) which only runs on Windows Servers.