Active Directory and ADFS – How Federation works?

What is AD?

The simplest Active Directory definition is that it is a directory service designed for Windows operating systems.

Directory is a unique repository for information related to the users and resources of an organization. Active Directory is a type of directory and contains information about the properties and location of the different types of resources within the network. Using it, both users and administrators can find them easily.

What is ADFS ?


Active Directory Federation Services, or commonly known as ADFS, is a solution from Microsoft to provide single sign-on and web-based authentication to systems and applications between organizations with unique or multiple domains.

Authentication: Process of an entity (the Principal) proving its identity to another entity (the System).

Single Sign On (SSO): Characteristic of an authentication mechanism that relates to the user’s identity being used to provide access across multiple Service Providers.

Single sign-on (SSO) means single sign-on. Its idea is to utilize user authentication so that the user only logs in once. User needs enter only one username / password. After that, She/he will be given access to several different applications. The process verifies the user for all applications to which they have been granted access.

The service allows you to connect multiple applications on your network using a common authentication mechanism. These services require and verify your username when you log on to the network. User IDs determine which actions you can perform. For example, if the applications are integrated with Kerberos, when the system authenticates the user ID, you can use all the resources that are integrated with Kerberos.

Federation: Common standards and protocols to manage and map user identities between Identity Providers across organizations (and security domains) via trust relationships (usually established via digital signatures, encryption, etc).

ADFS uses the Claims -based access control authorization model to ensure the security level and application-level federation identity, which is implemented between two organizations by establishing trust between two security zones or possibilities. This allows a system to control the access to its resources or services to a user belonging to another organizational environment, without the environments sharing they share user detail from database. That is, you can easily allow your business partners to log in to your services with their own AD user without having to work on maintaining them as internal identities.


Claims-based authentication is the process of authenticating a user based on a set of claims about their identity in a trusted token. Such a token is often issued and signed by a device that can authenticate the user in a different way. As for example with Active Directory, Facebook, or Google, this must be trusted by the enterprise that does claims-based authentication.

Two federation servers are required, one for user account and authentication (mainly with Active Directory Domain Services) to identify them and another for resource authorization and user access authentication. This architecture allows a user belonging to another security area or kingdom to control their access directly without sharing databases or passwords between them.


ADFS is designed to communicate via HTTPS to validate the user with a specific username and password. If this is valid, the service returns a unique token that can be used by third-party applications.

When a particular user tries to access an application on a website, it redirects the login request from the user to the main ADFS proxy in a form of username and password, and then returns a token that will be used by the application to control the user’s access.

How Federation Works?

Below illustrate how a assumed scenario can be solved by means of federation.

The environment consists of two companies that want a relationship of trust. Company B has a Website portal that users in Company A should access via their own identity from Company A

Federation between two organizations can be achieved by establishing trust between two ADFS servers. In this way, a user from Company A can access a resource at Company B with their own identity from Company A and vice versa.



An ADFS server at Company A authenticates the user through Active Directory in the usual way and then issues a token containing several claims about the user. The user now has a valid token in his session.



The user then presents their token to Company B, as the user presents a valid token from Company A, and Company B has a trust relationship with Company A – Approves Company B token and creates a new token for the user.





The user then presents his new token to the resource in Company B. Since the resource has confidence in the ADFS server in Company B, the user is logged in.




The activities take place in the user’s session and practically they are forwarded back and forth until the result is achieved. The principle will be approximately the same with several federated partners. User will be forwarded to their respective ADFS server based on the user’s identity.

By extending this solution to include eg Microsoft Azure and MinID, one can easily offer users to log in with an identity from known identity providers (identity providers).

Thanks For Reading.


Advertisements