Active Directory Classroom Series – 27/Oct/2020

Active Directory Federation Services

  • Scenario:
    • Consider a scenario where an organization Asquarezone has a payroll application and QualityThought.in wants to use the Payroll application of AsquareZone
    • QualityThought doesn’t want to host the payroll application, rather they want to use it from web. Preview
  • Possible Solutions:
    • Forms Authentication:
      • Asquarezone will host a userdatabase where username’s and passwords of QualityThought employees will be stored
      • QualityThought employee will login into payroll (https://payroll.asquarezone.com) with new credentials
      • Lets say an employee has resigned from QT, Then Asquarezone has to handle that from external request
      • If applications are deployed in this manner, user will have to maintain multiple credentials (credential per app) Preview
    • Integrated Windows Authentication (NTLM Authentication/domain Authentication):
      • Application will be deployed in the same organizational boundary and will have direct connection with AD as the web server is also part of the domain
      • Now application can easily interact with active directory Preview
    • Active Directory Federation Services:
      • Consider this image to understand the authentication process Preview
      • Step 1: User logs in to the device (laptop) with active directory credentials of QT and user is succesfully authenticated
      • Step 2: User tries to access the payroll app from (a2z)
      • Step 3: As soon as application recieves the access request from QT.in user, it checks for IWF from the browser. Since it cannot authenticate it will check if there isa federated relationship. Then User will be redirected to QT.in’s login page
      • Step 4: The user is already authenticated to QT.in (if not he will enter QT credentials)
      • Step 5: If the credentials are valid, ADFS will retrieve the user access rights. ADFS will create a security token that includes user claims, such as name, group memberships, UPN and email addresses. The security token will be signed by issuers digital certificate and user will be redirected to payroll application on A2z
      • Step 6: The user browser session will redirect to payroll application and this time the session is presented with security token recieved from ADFS. Then the payroll application claim aware agent decrypts the security token and looks into the claims. Based on the claims, it will decide whether the user is allowed to access the app or not.

Active Directory Federation Services

  • Refer the below image Preview
  • AD FS supports standards, which are used to build third-party claim based solutions
  • Security Assertion Markup Language(SAML):
    • IdP and SP needs to exchange authenticaton and authorization data. SAML is an XML-based standard format tha is used to present this data.
  • WS-Trust:
    • This is part of WS* Standards. WS-Trust defines the protocols used in requesting and issuing security tokens by WSSecrity. Security Token Service (STS) is a feature of WS-Trust
  • WS-Federation:
    • This supports use of many token types including SAML.
    • WS-Federation provides a mechanism to simply the communication b/w IdP and SP.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin