I have been working on Active Directory Federation Service (ADFS) for quite sometime. So thought of documenting about the ADFS in a simple words for my future use. I just came to know about the word ADFS when I worked on Office 365 migration project for the first time. The technology behind ADFS was like Greek and Latin for me at that time. I simply followed the published article to setup and federate with O365. It worked like a magic and I was really happy. But the game really started when I got a request to setup the ADFS for a cloud based application which support SAML 2.0. This time there is no proper documentation. I left alone and no one was there to help 🙂 How pity !!
Then I am forced to learn about what is ADFS and its usage from the scratch. Now it became one of my favorite technologies ever !!
What is Active Directory Federation Service (ADFS)
ADFS is one of the inbuilt roles available in windows server. It started from Windows 2008 server. I would like to give an example to explain about what is ADFS.
Lets assume you wanted to use a third party cloud based or an on-prem based application which requires authentication to access it. To authenticate the session, you need a valid account and a password. Its obvious !! This account will be a separate account apart from your active directory account. So you and your users wants to remember two usernames and passwords to access your AD and the application separately. But your management wanted to use a same username and password for both your AD and application access. This task has been assigned to you 🙂 Oops sorry for that !! But can’t help you need to figure it out 🙂 LOL !!
Now you found a solution that is nothing but a service called Active Directory Federation Service. This service will help you achieve your goal. It will authenticate the application which supports SAML and Claim based authentication with your AD account. The process of using the same account to authenticate multiple application is called Single Sign On – SSO.
How ADFS Works
The third party application will not talk to our ADFS server directly. It requires a intermediate to facilitate this process. The client browser like IE, Chrome will act as an intermediate for this process. So lets get back to our example to look how ADFS works.
You are using an cloud based application right. The url for this application for instance is https://yourcompany.cloudbasedapp.com. In general, the cloud based company will create a dedicate tenant for you and the url will be pointing to that tenant. So you have entered the url in your browser. It will contact the web server in the cloud. Cloud application will come to know that the single sign on is already enabled for this (Assuming the SSO has been configured already. If not just continue reading because we are going to cover how to configure it for many applications in the future posts anyway) So it will redirect the request to the ADFS url that is single sign on page. Then the browser will contact the SSO page. If you are connected to inside the network then based on the authentication mechanism that is configured in your ADFS server, your username and password will be taken by ADFS page and authenticate the session. It will generate the token and claim based rule information like SAM to Name ID. Then it will embed this info with POST command and send back to the browser. Browser will then take this info to the cloud based app url. The application will validate the information and provide you the access.
I tried my level best to explain this in a layman terms. Feel free to comment below if you have any questions.
The series will continue and will try to cover various topics of ADFS in my future posts.