Definition

Active Directory Federation Services (AD FS)

This definition is part of our Essential Guide: Secure email servers on Exchange, Office 365 or both
Contributor(s): Erica Mixon and Colin Steele

Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users' single sign-on (SSO) access to applications and systems outside the corporate firewall.

What AD FS does

Microsoft's traditional Active Directory technology stores usernames and passwords and uses them to manage and secure access to computers on a Windows domain. It also provides SSO access to corporate applications. AD Federation Services builds upon this functionality to authenticate users on third-party systems, such as another company's extranet or a service hosted by a cloud provider.

Through SSO capabilities, AD FS can authenticate a user to different, related web apps during a single online session. AD FS shares the user's identity and access rights, also known as claims, across the organization's security boundaries. When users attempt to access a certain web app from one of their trusted business partners -- also known as a federation -- their organization must authenticate the employee's identity information via claims to the host of the web app. The host can then make authorization decisions based on the claims.

AD FS process
How enterprise AD FS works

Benefits and drawbacks

Active Directory Federation Services aims to reduce the complexity around password management and guest account provisioning, and it has taken on additional importance as organizations and employees rely more on software as a service (SaaS) and web applications. SaaS and web apps typically require their own user accounts, and AD Federation Services ties those usernames and passwords to existing identities. Once a user logs in with his or her Windows credentials, AD Federation Services authenticates access to all approved third-party systems.

AD FS offers benefits to users, IT staff and developers alike. With AD FS, IT can provide sign-on and access control based on a unified set of credentials. Additionally, the feature provides this control across modern and legacy applications, on premises and in the cloud. Users can enjoy a seamless SSO without having to remember unfamiliar, disparate account credentials. AD FS offers developers a simple method to authenticate users with identities in the organizational directory, allowing them to focus their efforts on more important endeavors.

There are a few minor drawbacks to implementing AD FS. It requires additional infrastructure requirements and cost to set up. Like any feature added to an infrastructure, AD FS may add some points of failure.

Important features

SSO, federation

SSO capabilities allow federation partners to share a streamlined experience when they use the organization's web apps. Additionally, IT can deploy federation servers in multiple organizations to enable transactions between federation partners.

Interoperability

Through a federation specification called WS-Federation, AD FS' federated identity management system is interoperable with other products that support web services architecture and even environments that don't use the Microsoft Windows identity model.

Extensibility

AD FS supports the Security Assertion Markup Language (SAML) 1.1 security token type and Kerberos authentication, and can also change claims using a customizable access request. Through this extensible architecture, organizations can adjust AD FS to work with their current security and business frameworks.

Versions

Active Directory Federation Services was first released with Windows Server 2003 R2 as an additional download. Since then, Microsoft has released five different versions of AD FS.

AD FS 2.0, Microsoft's third release, is a download from Microsoft.com that is compatible with Windows Server 2008 and Windows Server 2008 R2. Its upgrades include improved installation with new server validation checks, tightened integration with Microsoft Office SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS) and an improved experience to establish federated trusts.

In AD FS 3.0 for Windows Server 2012 R2, Microsoft added the possibility to securely register and join mobile devices, support for group Managed Service Accounts (gMSAs) and simplified customization of the login platform.

The most recent version, AD FS 4.0 for Windows Server 2016, enables sign-on with Azure multifactor authentication (MFA), non-AD Lightweight Directory Access Protocol (LDAP) directories and Windows Hello for Business. Microsoft also improved the auditing process, interoperability with SAML and password management to federate Office 365 users.

This was last updated in January 2018 ???publishDate.suggestedBy???

Continue Reading About Active Directory Federation Services (AD FS)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How have you used Active Directory Federation Services to improve your organization?
Cancel

-ADS BY GOOGLE

Dateiendungen und Dateiformate

Gesponsert von:

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close