By Chetan Kumar
Key Challenges that ADFS addresses
Prior to ADFS, many organizations used to deploy separate Active Directory for authentication and authorization for third parties in order to use their services. In majority of the cases, you could result in becoming an account administrator for external users that may expand rapidly when they need their password reset, have a new account added and so on.
The other challenge is around de-provisioning of users. You have no control over the users that leave your partners, but their accounts remain active in your AD. This may result in security incidents if an employee still has access.
Should I use ADFS?
ADFS is a very flexible technology by Microsoft that provides authentication and authorization to applications running in your environment to the extranet users of different organizations. If you are planning to extend Active Directory outside of your environment or transition to Office 365 or cloud, and want to reduce user account administration effort while providing claims-aware federation, ADFS is the perfect solution you can rely upon.
Active Directory Federation Services ( ADFS) is an identity access solution from Microsoft that provides web-based clients (internal or external) with one prompt access to one or more Internet-facing applications, when the user accounts exist in different organizations and the web applications are located in altogether a different organization. ADFS lowers the complexity of password management and guest account provisioning. It can also play a significant role for the organizations that use Software as a Service (SaaS) and Web applications. Refer to the Figure 1 below; users in Organization A use their Windows credentials to log in and ADFS authenticates access to all the approved third-party systems in Organization B.
Figure 1- ADFS and Single Sign-On in Organization A & B
Prior to ADFS, many organizations used to deploy separate Active Directory for authentication and authorization for third parties in order to use their services. In majority of the cases, you could result in becoming an account administrator for external users that may expand rapidly when they need their password reset, have a new account added and so on.
The other challenge is around de-provisioning of users. You have no control over the users that leave your partners, but their accounts remain active in your AD. This may result in security incidents if an employee still has access.
Should I use ADFS?
- If you want have the requirement to allow users from another business (Contractor/Partner) to access your internal resources (web applications, messaging services & so on). The practical example suitable to many organizations is outsourcing, where your partners/contractors access your resources for supporting your business functions.
- If you are planning to move some parts of your IT to private or public cloud and want all the security factors to be seamless for the users. For example: In the case of a hybrid environment, some internal users are moved to Office 365.
- Single Sign On (SSO)
- Minimizes password phishing
- Helps to minimize the need for repetitive logon exchanges
- Reduces the repetition and submission of user credentials that can lead to higher helpdesk support cost and end user exhaustion
- Industry Standard Identity protocols supported - Compatible with various security products/solutions that support the WS -* Web Services Architecture
- Eliminates the management of user accounts in a partner organization
- Extensible architecture - Provides an extensible architecture. For instance: Addition/modification of claims using custom business logic during claims processing.
Conclusion
ADFS is a very flexible technology by Microsoft that provides authentication and authorization to applications running in your environment to the extranet users of different organizations. If you are planning to extend Active Directory outside of your environment or transition to Office 365 or cloud, and want to reduce user account administration effort while providing claims-aware federation, ADFS is the perfect solution you can rely upon.
No comments:
Post a Comment