Federation just makes it easier

You wander around with thoughts in your head that cloud, federation, identity management and automation. You`ve heard  about this federation. federation.. It would make everything so much easier, some say, what exactly is federation? What can be done with federation? How do you go forward to implement federation?

In this short article I’ll discuss federation with Microsoft Active Directory Federation Services 2.0.

About ADFS
Active Directory Federation Services(AD FS for short) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity.

Claims based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims based authentication.

Source:  <http://en.wikipedia.org/wiki/Active_Directory_Federation_Services>

How.. (Simple)
Federation between two organizations can be achieved by establishing trust between the two ADFS servers. A federation server on one side authenticate users through AD DS in the usual way and creates a token that contains a variety of claims about the user, including the user’s identity. On the other side (resource side), the token gets validated.

This allows a system to control access to their resources or services to a user who belongs to a different organizational environment without the need for a common user database.

Ie. You can easily allow your business partners to log in to your services with their own AD user without having to have a copy of your partner’s AD. (That would require a lot of clarifications with regards to licensing, maintenance, password reset, etc.)

The picture below is an example of how to give partner A access to Contoso’s SharePoint 2010 applications using federation with ADFS 2.0.

Contoso                                                 Partner A

In this solution, Microsoft Unified Access Gateway is used to publish ADFS 2.0 in Contoso`s environment, and to publish SharePoint 2010 Web applications. UAG is in other words used as a reverse proxy.

Other federation tips:

  • Office 365
  • MinID federation (Norway)
  • Feide (For skole, Norway)
  • Azure