Active Directory Federation Services
What is Active Directory Federation Services [ADFS]?
Active Directory Federation Services is a mechanism to provide access to users homed in your Active Directory forest to Web services located in other Active Directory forests. E.g. Partner organizations, Office 365 etc.
ADFS provides authorization, authentication and Single Sign-On (SSO) functionality to web applications and services located virtually anywhere, including perimeter networks, partner organizations & cloud.
Active Directory Trust vs ADFS
Active Directory trust works on Kerberos V5 or NTLM protocol and it provides access to users on resources located in different domain or forest. The Kerberos or NTLM token is validated for the SPN (Service Principle Name) before providing access.
ADFS works on protocol called SAML (Security Assertion Markup Language). The Web application configured for ADFS looks for ADFS cookie, redirects the URL to user’s ADFS server for user validation and ADFS server generates token/claim upon successful user login, appends it to the URL and sends it back to the Web Application requested for it. The Web application now sees ADFS cookie and grants access to the Web application.
The cookie is valid for default 10 hours and can be customized.
Is ADFS safe?
ADFS uses Secure Socket Layer (SSL) between in the entire path of user validation and it completely secure and recommended.
The user credentials are known only to local ADFS instance of Active Directory server and only the authorized token is passed along the URL. Because the entire session is SSL based and tokens are encrypted, entire ADFS flow is secured.
What are other options?
DirSync feature of Microsoft allows passwords to sync between client’s Active Directory forest and Office 365. However, this lets password store outside your environment and it could be harmful if there is any security breach on the external network.
Third-party Solution may be used from IBM, CA, NetIQ etc. if already present in the Infrastructure or they provide any additional feature that organization must need. Otherwise, it is recommended to use ADFS in a new environment so that it gets support from single vendor i.e. Microsoft and eases trouble shooting. ADFS is a free feature of Windows Operating System and easy to deploy.