Active Directory Federation Services (ADFS), a
software
Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications.
The history of software is closely tied to the development of digital comput ...
component developed by
Microsoft
Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
, can run on
Windows Server operating systems to provide users with
single sign-on access to systems and applications located across organizational boundaries. It uses a
claims-based access-control authorization model to maintain application security and to implement
federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's
identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication.
It is part of the
Active Directory Services. Microsoft advises using
Entra ID and
Entra Connect in place of ADFS in most cases.
Details
In ADFS, identity federation
is established between two organizations by establishing trust between two security realms. A federation server on one side (the accounts side) authenticates the user through the standard means in
Active Directory Domain Services and then issues a token containing a series of claims about the user, including their identity. On the other side, the resources side, another federation server validates the token and issues another token for the local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another security realm without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.
In practice a user might typically perceive this approach as follows:
# The user logs into their local PC (as they typically would when commencing work in the morning).
# The user needs to obtain information from a partner company's extranet website, for example to obtain pricing or product details.
# The user navigates to the partner-company extranet site, for example:
http://example.com.
# The partner website now does not require any password to be typed in; instead, the user credentials (in a secure assertion) are passed to the partner extranet site using ADFS.
# The user is now logged into the partner website and can interact with the website as if logged in.
ADFS integrates with
Active Directory Domain Services, using it as an identity provider. ADFS can interact with other
WS-* and
SAML 2.0-compliant federation services as federation partners.
Versions
* ADFS 1.0 - Windows Server 2003 R2 (additional download)
* ADFS 1.1 - Windows Server 2008 and Windows Server 2008 R2
* ADFS 2.0 - Windows Server 2008 and Windows Server 2008 R2 (download from Microsoft.com)
* ADFS 2.1 - Windows Server 2012
* ADFS 3.0 - Windows Server 2012 R2
* Windows Server 2016 ADFS - Windows Server 2016
* Windows Server 2019 ADFS - Windows Server 2019
See also
*
Claims-based identity
*
Digital identity
A digital identity is data stored on Computer, computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to ...
*
Information Card
*
LDAP
*
SAML
*
Windows CardSpace
*
Windows Server 2012
*
Windows Server 2008
*
WS-Federation
*
Office 365
References
{{reflist
External links
ADFS 2.0 Content MapADFS TechNet LibraryADFS MSDN LibraryADFS in Server 2016 What's new
2008 software
Windows Server
Windows Server 2008
Windows Server 2008 R2