IT Infrastructure 002: Microsoft ADFS

I was assigned to oversee a migration project from ADFS 2.0 to 3.0, yet I have no clue about it. Technet articles are very informative but they are full of Microsoft technical jargon and as a beginner I did not find them very useful. It took me a while to wrap my head around the concepts with the help of other tech blogs. If you are totally new to ADFS, but have been hearing this term buzzing around your workplace, I hope to provide you with a simple and concise description of this product, so that you will have sufficient knowledge to explore it further.

Looking for a definition?

ADFS stands for Active Directory Federation Service, a product of Microsoft and part of their enterprise software solutions. If you are already familiar with Active Directory (AD), understanding the concept of federation service should not be a problem.

If there is one simple definition you need to takeaway from here, it is this: ADFS, in essence, allows a user to login to multiple web applications using one single set of AD credentials, even if those applications are external to your organisation. Of course, those applications will have to be configured to maintain a federation trust with your organisation.

In other words, it provides users with a single sign-on (SSO) experience when accessing web applications. But does SSO imply that a user only have to login once, and all subsequent accesses to various web applications will pass through automatically? The answer is no. SSO only means that a user can use one set of credentials for all accesses, but whether the applications will prompt the users for multiple logins depends on the ADFS configuration.

Another point worth noting is that ADFS merely provides identity management. Access control to various resources is determined by the resource providers.

Why use ADFS?

Implementing ADFS provides the following advantages:

  1. Users login with their AD credentials, this prevents password fatigue. This also eliminates the need to maintain a separate account for each application.
  2. Applications providers, which may be external to our organisation, will not need to maintain the user accounts.
  3. A central portal to manage all our federated relations and settings with multiple web applications.

There are definitely more ADFS features, I am merely listing those which I found relevant to most organisations.

How ADFS works?

Imagine a scenario in which a user wants to access some web application that is external to the user’s organisation. How can this be achieved using ADFS?

There are two parties involved in this scenario.

  • First, the Resource Provider that hosts the web application, which the user wants to access (the terms Resource Provider/ Service Provider/ Relying Parties refer to the same entity).
  • Second, the Identity Provider that sits within the user’s organisation which can prove the identity of the user (also known as the Claims Provider).

ADFS therefore provides a mechanism for an Identity Provider to vouch for the identity of a user, so that a Resource Provider, who trusts the Identity Provider’s claim, will allow this user to gain access to the web application. It is that simple!

  1. A user attempts to use a web application external to the user’s organisation. Before that, the user’s identity needs to be verified.
  2. As the the external Resource Provider does not keep a record of the user’s identity, it requires another entity to verify the identity of the user. This role is fulfilled by the Identity Provider within the user’s organisation.
  3. The Identity Provider, upon request by the Resource Provider, will verify the user’s identity against AD records, and vouch for the user. Hence the term claim-based, because from the Resource Provider’s perspective, the user’s identity is whatever the Identity Provider claims to be.
  4. Once the Resource Provider receives a valid claim, it will allow access to the user.
  5. But before all these communications and exchange can happen, the Identity Provider and Resource Provider must both trust each other. Hence ADFS needs to be configured to establish this relationship, and this is also known as Federation Trust between the two parties.

This mechanism is brokered by the user’s web browser. The role of the federation server is to facilitate communication between the Identity Provider and the user. The identity requests and claims are delivered in SAML message format.

Find out more

More information can be found from the following resources:


20170219 Edit: Diagram link has broke. Will find a new ADFS diagram when time permits.