Manage

Can ADFS technology manage multiple-user authentication?

In this SearchSecurity.com Q&A, Joel Dubin, expert in identity management and access control, addresses multiple aspects of ADFS systems, including the technology's ability to authenticate multiple users to a Web application.

Joel Dubin

Is Active Directory Federation Services (ADFS) technology mature enough for managing the authentication of remote customers to a Web application?

Active Directory Federation Services (ADFS) became a standard feature in Windows Server 2003 R2. The problem with ADFS is not so much the maturity of the technology itself, but rather the shifting landscape of standards for federated identity management and whether those standards are in line with your environment. Those standards underpin all federated identity management systems, including ADFS. Despite the name, ADFS isn't an extension of Active Directory; it's a Windows component that uses Active Directory.

There have been a few issues with ADFS, but let's first take a look at federated identity management, a technology...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

still in a state of evolution.

Federated identity management is closely related to single sign-on, another technology for allowing authentication across diverse systems. Single sign-on allows a user with a single user ID and password -- or other login credentials -- access to multiple systems. The single user ID and password replaces multiple IDs and passwords a user might need to log on to different applications and systems.

The difference between single sign-on and federated identity is that single sign-on is for logging on within a single enterprise. Federated identity is used for logging in across several enterprises. Such a system could allow, for example, a company to directly access the systems of its suppliers -- different companies with different IT systems in different domains.

Communication among various enterprises with unrelated IT systems across corporate boundaries is the key to federated identity management systems, like ADFS. These systems can only play each other if they all abide by an independent set of standards -- agreed on by all members of the system -- for communicating authentication information to each other.

Microsoft and IBM compiled a set of standards using the WS-Federation protocol for message-based applications. Another standard is Security Assertion Markup Language (SAML), which is based on XML. Microsoft backed early versions of SAML, but broke with the standard in 2005 when SAML 2.0 was released. SAML 2.0 is backed by a consortium of companies and organizations, including the Liberty Alliance and the Organization for the Advancement of Structured Information Systems (OASIS). Both are heavily involved in setting federated identity management standards.

It's important to keep track of the different standards and platforms they work with, and the ever-shifting alliances backing each standard. Match these with your environment before making a decision on a federated identity management implementation.

Finally, Joe Kaplan, a Microsoft MVP in directory services, has reported a problem with the way ADFS handles cookies for maintaining authentication session state. Cookies are frequently used for managing such sessions, but can pose problems when used across domain and enterprise boundaries, as with ADFS. Kaplan has described workarounds and how to avoid common pitfalls with cookies and ADFS. The technology is sound, but it may need tweaking to handle cookies properly.

For more information:

Learn more about one of the most exciting features in Microsoft Windows Server 2003, ADFS.

In this Q&A, Joel Dubin explores the differences between local identity, SSO and federated identity management models.

This was last published in April 2007

A technical introduction to Citrix Cloud Federated Authentication Service

Citrix Cloud identity features are still up in the air

claims-based identity

SAML (Security Assertion Markup Language)

6 SaaS security best practices to protect applications

Review these 7 CASB vendors to best secure cloud access

CASB explained: Know its use cases before you buy

10 network security tips in response to the SolarWinds hack

Considerations for SASE management and troubleshooting

Cisco sweetens Acacia deal by $2 billion

What CIOs need to know about RPA in IT operations

Parler sues AWS, seeks restraining order

Digital healthcare top priority for CIOs in 2021

Will Windows 10 be the last Windows OS?

CES: Laptops sport designs friendly for remote workers

Evaluate if Windows 10 needs third-party antivirus

IBM acquisition spree targets hybrid cloud consulting market

How to choose between IaaS and SaaS cloud models

COVID-19 and remote work shift cloud predictions for 2021

Should I be worried about MFA-bypassing pass-the-cookie attacks?

Few workers see employers as ready for new normal

More subpostmasters’ prosecutions sent to appeal for wrongful conviction