Maybe your organization, like many, is looking at how to easily and securely
share data and access to its network with designated external users. An identity
federation solution in Windows Server 2003 Release 2 (R2), called Active Directory
Federation Services (ADFS) can help. In "Identity Federation with ADFS," November
2006, InstantDoc ID 93453, I introduced ADFS and defined identity federation,
which links disparate identity and resource providers to make it easier for
organizations to share data. I also discussed how an organization can take advantage
of ADFS and showed a simple ADFS operation example. Now let's dig deeper into
the ADFS components to examine how they work together and look at what's involved
in planning for and setting up ADFS in your environment.
Federation Service
Before we get into the Federation Service, which is the most important component
of ADFS, let's review some identity federation terminology. An organization
can be an identity provider, a resource provider, or a combination of both.
An identity provider is an organization that issues and manages accounts. A
resource provider provides and controls access to resources. Identity and resource
providers are sometimes referred to as islands, a term which emphasizes their
isolation from one another. Islands can be in separate organizations or they
can exist within the same organization. It's the job of identity federation
solutions such as ADFS to link these islands.
The Federation Service is an ASP.NET Web service that must be installed on
a Windows 2003 R2 Enterprise Edition or Datacenter Edition platform. ADFS requires
a Federation Service installation for each identity or resource provider that's
participating in the federation. Windows 2003 R2 Federation Service servers
also must have the following software installed: Microsoft IIS 6.0, Microsoft
.NET Framework 2.0, and ASP.NET. On a Windows 2003 R2 system, you can install
Federation Service and all other ADFS components explained in this article from
the Add or Remove Programs Control Panel applet's Windows Components wizard.
R2 systems include a new Windows Components option called Active Directory Services
that includes ADFS, Active Directory Application Mode (ADAM), and Identity Management
for UNIX, or Services for UNIX (SFU).
Within ADFS, the Federation Service component hosts the service that generates ADFS
authentication cookies and security tokens.
This host role makes Federation Service a security authority that must be secured accordingly.
Federation Service has the following roles and
tasks:
The Federation Service validates user credentials and generates ADFS
authentication cookies. The Federation Service can validate user credentials
against either Active Directory (AD) or ADAM. Authentication cookies are used
for Web single sign-on (SSO). An authentication cookie proves that users have
been authenticated by the Federation Service and ensures that they don't have
to re-enter credentials each time they access a resource hosted by a federation
partner. The AD or ADAM directory used in an ADFS setup must be running on either
a Windows 2003 Service Pack 1 (SP1) or SP2, Windows 2003 R2, or Windows 2000
SP4 system.
The Federation Service generates and
transforms ADFS security tokens. An ADFS
security token contains a user's attributes. In
ADFS, these properties are also referred to as
claims. As I explain later in this article, security
tokens and their claims are primarily used for
authorization purposes. The Federation Service can generate brand new security tokens
or transform them from one format to another.
To generate and populate security tokens, the
Federation Service retrieves user claims from
AD or ADAM.
During token transformation, the Federation Service translates the claims in
a security token to a new set of claims that are then stored in a new token.
Claim transformation ensures that a claim defined in one organization is transformed
to an equivalent claim as defined in another organization. For example, "gold
membership" in the frequent flyer application of one organization might translate
to "privileged customer" in a similar application of another organization. I'll
go into more detail about the Federation Service token transformation function
later in this article.
The Federation Service manages the federation trust policy that's established
between the Federation Service and other federation partners. The federation
trust policy defines which user claims are exchanged between federation partners.
Claims can include user identifiers such as an email address or User Principal
Name (UPN); user authorization data such as group memberships; and other user
identity attributes (e.g., phone number, mailing address). The Federation Service
federation trust policy is managed from the ADFS Microsoft Management Console
(MMC) snap-in, which Figure 1 shows. This
snap-in is installed automatically when you install the Federation Service.
Federation Service Proxy
The Federation Service Proxy (FSP) component in ADFS acts as a user front end
for the Federation Service. The FSP can be installed separately by using the
Add or Remove Programs Control Panel applet's Windows Components wizard but
is also automatically installed when you install the Federation Service. The
FSP acts as a proxy between browsers and the Federation Service, giving the
dumb browser clients something to talk to. The FSP has the same software installation
requirements as the Federation Service.
The Federation Service is a security authority that shouldn't be directly exposed to your
extranet or the Internet. If your federated
users or partners connect to your resources
from your extranet or the Internet, you should
install an additional FSP in your organization's
demilitarized zone (DMZ).
The FSP performs the following tasks:
- It provides the interface for user home domain discovery. In ADFS, a user's
home domain is the account provider in which the user's account is defined.
An ADFS resource provider must know a user's home domain to be able to redirect
the user to the correct account provider for authentication. The FSP includes
a special Web page that lets a user manually select the user's home domain.
You can also automate the process of home domain discovery, which the ADFS
documentation explains.
- It collects credential information from browser clients and forwards it
to Federation Service for validation.
- It forwards security tokens and authentication cookies generated by an identity
provider Federation Service to a resource provider Federation Service.
- It returns security tokens and authentication cookies generated by Federation
Service to browser clients.
ADFS Web Agent
The ADFS Web agent is an ADFS user's first point of contact with ADFS. The Web
agent provides the interface logic between the ADFS infrastructure and a Web-based
application. The agent leverages the information in the security tokens and
authentication cookies and forwards ADFS claims to Web-based applications. The
applications can then use the claims to make authorization decisions or provide
user personalization services. The agent includes an Internet Server API (ISAPI)
filter that redirects unauthenticated users to the FSP and Federation Service
for authentication.
Previous
