Active
Directory Federation Services (AD FS) provides for Single Sign-On (SSO)
capabilities across multiple platforms, including non-Microsoft
environments. By managing web-based logon identities and tying them
together, through Windows logon authentication, organizations can more
easily manage customer access to web-based applications without
compromising internal security infrastructure.
AD FS is managed from an MMC administrative tool, shown in Figure 1, which can be installed on a Windows Server 2008 R2 Enterprise Edition or Datacenter Edition system.
AD
FS is not a replacement for technologies such as Forefront Identity
Manager (FIM). Instead of synchronizing identities across various directories
as FIM does, AD FS manages logon attempts to web applications made from
disparate directories. It is important to understand this concept
because AD FS and FIM perform different roles in an organization’s
environment.
Understanding the Key Components of AD FS
AD FS is composed of three different server components, as follows:
Federation server—
A federation server is the main AD FS component, which holds the
Federation Service role. These servers route authentication requests
between connected directories.
Federation proxy server—
A federation proxy server acts as a reverse proxy for AD FS
authentication requests. This type of server normally resides in the
demilitarized zone (DMZ) of a firewall, and is used to protect the
back-end AD FS server from direct exposure to the untrusted Internet.
AD FS Web Agents—
The Web Agents component of AD FS hosts the claims-aware agent and the
Windows token-based agent components that manage authentication cookies
sent to web server applications.
Each one of
these components can be individually installed in an AD FS structure, or
they can be all installed on the same system.
Installing AD FS with Windows Server 2008 R2
Installation of the AD FS role on a server can be performed via the following process:
1. | From the server, open the Server Manager Application (Start, All Programs, Administrative Tools, Server Manager).
|
2. | Navigate to the Roles node, and then click the Add Roles link.
|
3. | On the Before You Begin page, review the notes provided, and click Next to continue.
|
4. | From
the list of server roles, choose Active Directory Federation Services
by checking the box next to it. Click Next to continue.
|
5. | On the Introduction to Active Directory Federations Services page, review the information provided, and click Next to continue.
|
6. | On the Select Role Services page, select which roles to install, as shown in Figure 2.
By clicking on the roles, you might be prompted to install additional
components to make those roles work. For example, IIS and a few other
components are required for the Federation Service role. If necessary,
click to install those items as well. After you have selected the
appropriate check boxes, click Next to continue.
|
7. | Select
whether to create a server authentication certificate or to choose an
existing certificate installed on the server. Because SSL encryption is
required for AD FS, a certificate from either a trusted internal
Certificate Authority or an external trusted authority (most common
scenario) must be used to install ADFS. Click Import if a certificate is
available, but it must be installed locally on the server. After making
your selection, click Next. If you are only installing AD FS for
testing purposes, select to create a self-signed certificate, and click
Next to continue.
|
8. | On
the subsequent page, choose a token-signing certificate, using the same
process outlined in the previous step. This certificate can be created
from an internal CA (if available) or imported from an external
certificate provider. If using AD FS for testing, you can select to
create a self-signed token-signing certificate. Click Next to continue.
|
9. | On
the Select Trust Policy page, select to either create a new trust
policy for the type of claims used by your organization or to use an
existing one, as shown in Figure 3. Click Next to continue.
|
10. | If
additional components such as IIS were selected for installation, the
Add Roles Wizard will continue with selections for those roles. Follow
through the wizard for these roles, if necessary, until the Install
button becomes available in the wizard. Click the Install button to
begin configuration of AD FS.
|
11. | Click Close when the Add Roles Wizard is complete.
|
Working with AD FS
AD FS works by
inputting information about connected partners, such as AD forests or AD
LDS organizations, and inputting specific partner and application
information. Each set of information can be inputted by running the
various wizards installed by AD FS, as follows:
Add Resource Partner Wizard—
This wizard allows for resource partners to be manually created or
automatically imported by using an Extensible Markup Language (XML)
file. Resource partners contain information about the specific web-based
applications that users can access.
Add Account Partner Wizard—
This wizard adds the information about specific account partners, which
are connected security token issuers, such as domain controllers.
Add Applications Wizard— This wizard adds specific claims-aware applications to AD FS.
By entering in the
information about the various web-based applications, and which
directories and identities are to be granted access, AD FS can provide
for seamless sign-on capabilities between various directories. It can be
a valuable asset for an organization that wants to share corporate
information with trusted partners, but without exposing their valuable
internal assets to unnecessary exposure.
