Active Directory Federation Services

Last updated

Active Directory Federation Services (AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. [1] Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. [2] It is part of the Active Directory Services.

Contents

Details

In AD FS, identity federation [3] is established between two organizations by establishing trust between two security realms. A federation server on one side (the accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including their identity. On the other side, the resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.

In practice a user might typically perceive this approach as follows:

  1. The user logs into their local PC (as they typically would when commencing work in the morning).
  2. The user needs to obtain information from a partner company's extranet website, for example to obtain pricing or product details.
  3. The user navigates to the partner-company extranet site, for example: http://example.com.
  4. The partner website now does not require any password to be typed in; instead, the user credentials (in a secure assertion) are passed to the partner extranet site using AD FS.
  5. The user is now logged into the partner website and can interact with the website as if logged in.

AD FS integrates with Active Directory Domain Services, using it as an identity provider. AD FS can interact with other WS-* and SAML 2.0-compliant federation services as federation partners. [4]

Versions

See also

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

Windows Services for UNIX (SFU) is a discontinued software package produced by Microsoft which provided a Unix environment on Windows NT and some of its immediate successor operating-systems.

<span class="mw-page-title-main">Windows Server 2008</span> Fourth version of Windows Server, released in 2008

Windows Server 2008, codenamed "Longhorn Server", is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft LAN Manager (LANMAN), an older Microsoft product. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. Whether these protocols are used or can be used on a system which is governed by Group Policy settings, for which different versions of Windows have different default settings.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. In some instances, one may be asked to enter an access token rather than the usual password.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

<span class="mw-page-title-main">Windows Server 2008 R2</span> Fifth version of Windows Server, released in 2009

Windows Server 2008 R2, codenamed "Windows Server 7", is the fifth version of the Windows Server operating system produced by Microsoft and released as part of the Windows NT family of operating systems. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009, shortly after the completion of Windows 7. It is the successor to Windows Server 2008, which is derived from the Windows Vista codebase, released the previous year, and was succeeded by the Windows 8-based Windows Server 2012.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems, receiving updates and improvements with each version of Windows. Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2 in 2009.

Access Control Service, or Windows Azure Access Control Service (ACS) was a Microsoft-owned cloud-based service that provided an easy way of authenticating and authorizing users to gain access to web applications and services while allowing the features of authentication and authorization to be factored out of the application code. This facilitates application development while at the same time providing users the benefit of being able to log into multiple applications with a reduced number of authentications, and in some cases only one authentication. The system provides an authorization store that can be accessed programmatically as well as via a management portal. Once authorizations are configured, a user coming to an application via ACS arrives at the application entrance with not only an authentication token, but also a set of authorization claims attached to the token. ACS was retired by Microsoft on November 7, 2018.

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

<span class="mw-page-title-main">Windows Server 2012</span> Sixth version of Windows Server, released in 2012

Windows Server 2012, codenamed "Windows Server 8", is the sixth version of the Windows Server operating system by Microsoft, as part of the Windows NT family of operating systems. It is the server version of Windows based on Windows 8 and succeeds Windows Server 2008 R2, which is derived from the Windows 7 codebase, released nearly three years earlier. Two pre-release versions, a developer preview and a beta version, were released during development. The software was officially launched on September 4, 2012, which was the month before the release of Windows 8. It was succeeded by Windows Server 2012 R2 in 2013. Mainstream support for Windows Server 2012 ended on October 9, 2018, and extended support ended on October 10, 2023. Windows Server 2012 is eligible for the paid Extended Security Updates (ESU) program, which offers continued security updates until October 13, 2026.

multiOTP Authentication system

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.

References

  1. "Introducing AD FS 2.0". Microsoft TechNet. May 2, 2010. Retrieved March 2, 2017.
  2. "An Introduction to Claims". MSDN. 2016. Retrieved May 26, 2016.
  3. "What is Federated Identity Management?". Technopedia. 2016. Retrieved May 26, 2016.
  4. "ADFS Deep Dive". MSDN. November 2, 2014. Retrieved May 18, 2016.
  5. "ADFS Configuration in Windows Server 2012 R2 Standard". TatvaSoft. 2018. Archived from the original on September 19, 2018. Retrieved September 19, 2018.
  6. 1 2 "AD FS Frequently Asked Questions (FAQ)". Microsoft. April 17, 2019. Retrieved March 2, 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.