What is ADFS?
Active Directory Federation Service (ADFS) is a software component created by Microsoft to provide Windows Server operating systems Single Sign-On to users. It uses a claims-based access control authorization model to maintain application security and implement a federated identity.
Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token.
How does ADFS work?
In ADFS, identity federation is established between two organizations by establishing trust between two security group. A federation server on one side (the Accounts side) authenticates the user through the standard means in Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the other side, the Resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security group without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.
The authentication process generally follows steps:
- Active Directory: AD FS is using Identity Information which is stored in Active Directory for Authentication.
- Federation Server:
- Federation Server Proxy:
- ADFS Web Server:
Why ADFS is used by Organisations?
ADFS helps organizations share identity with partnerships using the same trust policy. When establishing a partnership to use another organization’s web applications, ADFS provides a central place to manage and audit the employee identity information that is shared with that partner.
ADFS is able to resolve and simplify these third-party authentication challenges but does come with certain risks and disadvantages.
Over 90% of organizations use Active Directory, which means many use ADFS as well.
Why Organisations are using ADFS?
Office 365 Single Sign-On (SSO) with ADFS
However, despite all the benefits discussed from an infrastructure standpoint, there are some downsides:
ADFS doesn’t allow access to share files or print servers
ADFS doesn’t access Active Directory resources
ADFS doesn’t allow to connect to servers by using Remote Desktop
ADFS doesn’t authenticate to “Older” web applications
ADFS structure is more complex to understand.
ADFS required specific device because it works on domain-joined devices.
ADFS disadvantages :
- Maintenance Costs:
- ADFS requires high maintenance cost for managing & operating ADFS service.
- ADFS cost depends on the infrastructure complexity & multiple federations.
- ADFS configuration requires SSL certificate which adds more cost into ADFS service.
- ADFS Complexity: Adding an application or system to an ADFS service is more complex & time-consuming. It doesn’t have a user-friendly user/group management dashboard for managing users, groups and their authentication policies.
- ADFS Security issue:
ADFS runs on a Windows Server, that have more security issues like Vulnerable to malware, Often security-related errors.
ADFS Vs miniOrange IDP
|Multi-Protocol support||Supports limited protocol (SAML 2.0, WS-Federation & OAuth 2.0)||Fully Supports all protocols for Authentication|
|MFA (Multi-factor Authentication)||It supports limited MFA methods||It supports 15+ MFA methods|
|Single Sign-On into Mobile Apps||Doesn’t support||It supports SSO into Mobile Apps|
|Adaptive Authentication||Doesn’t support||It supports|
|JWT||Doesn’t support||It supports|