What you need to know about Active Directory Federation Services

Windows Server 2003 R2 debuted without much fanfare, but Microsoft delivered on some long-awaited features and functions, not the least of which is technology for identity federation.

Periodically in this column, we've advised a thoughtful approach to identity federation. It's not an easy undertaking, and it can introduce needless complexity. At issue is the need to maintain a secure relationship between two entities: resources on one side, and user accounts on the other. When employees leave, accounts have to be updated or terminated (see "Security Manager's Journal: LDAP Syncing Project Won't Be a Trivial Task").

We know from working with customers that business conditions and staffing change, but accounts don't. That's a security risk, and the stakes are higher with increased industry regulation. If your company is audited and the domain information for an application and its users is out of date -- for instance, "idle" accounts have not been deleted -- then you've got a potential compliance problem.

Integrate -- then federate

Given the choice, integration is a simpler approach than federation. If the task is to provide one department with access to the resources of another department in a company that's standardized on a single platform, federation is simply too complex.

Federation is preferable when different companies and/or platforms are involved. Say that two or more organizations -- an automotive manufacturer and a key supplier, or competing aerospace companies with a joint contract -- need to share sensitive information and resources. Federated access lets individuals get and submit content, even modify it. Meanwhile, the resource owner controls access without having to manage users' accounts: Those are the responsibility of the account owner, who deletes an account if an employee quits, locks up access if a user is on vacation and so forth.

We've been working on just this type of scenario to demonstrate Microsoft Active Directory Federation Services (ADFS) capabilities in conjunction with a Microsoft SharePoint Portal Server. The technology allows identity information to flow across organizational boundaries, independent of platform, application or security model. Users connect to resources using Secure Sockets Layer, but the token that is sent does not include sensitive password or username information. The alternative? Doling out passwords everywhere, working around firewalls and so on.

ADFS: A first look

Not surprisingly, there are advantages and limitations to this first release of Microsoft's federation technology. IT pros will likely welcome single sign-on capabilities for Web-based access and the centralized administration of extranet accounts, as well as support for secure transit of digital identification. Plenty of IT staff have experience setting up trusted relationships between Windows NT domains -- but doing so requires sending sensitive information across the Internet, as well as expensive equipment to secure the system.

There are some strong motivators for evaluating applications for federated identity, and you'll want to take into account these aspects of Microsoft ADFS:

  • Passive-mode federation. In its first iteration, Microsoft ADFS supports only Web applications running on any Web server that supports WS-Federation. Right now, the technology works only for "passive mode" federation -- that is, federation of applications that are accessed through Web browsers. "Active mode" federation between applications with fat-client interfaces -- say, a supply chain management application and a purchasing application -- is a more complex undertaking. For now, Microsoft ADFS does not support this type of function, but it will be included in Longhorn Server.
  • Price tag. The technology comes free with Microsoft Windows Server 2003 Release 2. Saving time and money by skipping the search for a federation product may be reason enough for some companies to experiment now with basic scenarios. One of our customers is using federation to give business partners access to extranet applications. This simplifies the user experience because people don't have to log in with separate credentials -- which also means simplified administration and reduced costs. That adds up to improved security with a lower price tag.
  • Integration with AD. ADFS is deeply integrated with Active Directory. This is a big deal: It eliminates the need for massive application modification to support different security methods. And there's no need to purchase generic federation technology and reverse-engineer its security components to work with your enterprise platform.

Making the world a flatter place

Microsoft ADFS lets companies cut their teeth on the concept of federation. While it's a viable technology, it is rather new. Don't expect massive adoption as with account provisioning and metadirectories. Federation is something that companies can explore at their own pace, even as they handle day-to-day IT activity.

In doing so, they will also test the potential for accelerating business. By The World Is Flat author Thomas Friedman's standards, federation could level obstacles that would otherwise get in the way of integrated business process. The more you can simplify and smooth interaction between computers and people using them -- the more straightforward that relationship becomes -- the "flatter" and faster your business can run.

Christopher M. Burry is a technology infrastructure practice director and a fellow at Avanade Inc., a Seattle-based integrator for Microsoft technology that's a joint venture between Accenture Ltd. and Microsoft Corp. Ace Swerling is security practice director and Robert Montee is senior systems engineer at Avanade. Send comments or questions to Christopher.Burry@avanade.com.

Copyright © 2006 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?
Shop Tech Products at Amazon