Active Directory Federation Services (AD FS) is a feature in the Windows Server® 2003 R2, Windows Server 2008, and Windows Server 2008 R2 operating systems that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.
Features in AD FS
In Windows Server 2008 and Windows Server 2008 R2, AD FS includes new features that were not available in Windows Server 2003 R2. To learn more about these new features, see What's New in AD FS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=85684).
The following are some of the key features of AD FS:
- Federation and Web SSO
When an organization uses Active Directory Domain Services (AD DS), it experiences the benefit of SSO functionality through Windows Integrated Authentication within the organization's security or enterprise boundaries. AD FS extends this functionality to Internet-facing applications. This makes it possible for customers, partners, and suppliers to have a similar, streamlined, Web SSO user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations. For more information about AD FS federation, see Understanding Federation Designs.
- Web Services (WS)-* interoperability
AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Microsoft® Windows® identity model to federate with Windows environments. For more information about WS-* specifications, see Resources for AD FS.
- Extensible architecture
AD FS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with Forest Trust design). AD FS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see Understanding Claims.
Extending AD DS to the Internet
AD DS serves as a primary identity and authentication service in many organizations. With Windows Server 2003 Active Directory and Windows Server 2008 and Windows Server 2008 R2 AD DS, forest trusts can be created between two or more Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forests to provide access to resources that are located in different business units or organizations. For more information about forest trusts, see How Domain and Forest Trusts Work (http://go.microsoft.com/fwlink/?LinkId=35356).
However, there are designs in which forest trusts are not a viable option. For example, access across organizations may have to be limited to only a small subset of individuals, not every member of a forest.
By employing AD FS, organizations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.
AD FS supports distributed authentication and authorization over the Internet. AD FS can be integrated into an organization's or department’s existing access management solution to translate the claims that are used in the organization into claims that are agreed on as part of a federation. AD FS can create, secure, and verify the claims that move between organizations. It can also audit and monitor the communication activity between organizations and departments to help ensure secure transactions.
For more overview information about AD FS, see the following topics: