Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. As a component of Windows Server operating systems, it provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).
Developed to provide flexibility, ADFS gives organizations the ability to control their employees’ accounts while simplifying the user experience: employees only need to remember a single set of credentials to access multiple applications through SSO.
How does ADFS work?
ADFS manages authentication through a proxy service hosted between AD and the target application. It uses a Federated Trust, linking ADFS and the target application to grant access to users. This enables users to log onto the federated application through SSO without needing to authenticate their identity on application directly.
The authentication process generally follows these four steps:
- The user navigates to a URL provided by the ADFS service.
- The ADFS service then authenticates the user via the organization’s AD service.
- Upon authenticating, the ADFS service then provides the user with an authentication claim.
- The user’s browser then forwards this claim to the target application, which either grants or denies access based on the Federated Trust service created.
Why do companies use ADFS?
ADFS was born out of the need to overcome the authentication challenges created by AD in an increasingly connected online world. AD and IWA have set limitations when it comes to modern authentication, and cannot authenticate users accessing AD integrated applications externally. This is a challenge in the modern workplace, where users often need to access applications that are not owned or managed by their AD organization.
ADFS is able to resolve and simplify these third-party authentication challenges, but does come with certain risks and disadvantages.
ADFS solves the problem of users who need to access AD integrated applications while working remotely, offering a flexible solution whereby they can authenticate using their standard organizational AD credentials via a web interface. It allows users from one organization to access the applications of another organization beyond the realm of their AD domain. Examples include applications in a partner organization or modern cloud services, which now form part of many organizations’ extended IT landscape.
Over 90% of organizations use Active Directory, which means many use ADFS as well.
What are the risks and disadvantages?
ADFS does have its drawbacks, which make it far from an ideal authentication solution. These disadvantages include the hidden infrastructure and maintenance costs, as well as security risks.
Even though ADFS is a free feature on Windows Server, commissioning ADFS requires a Windows Server license and a server to host the ADFS service, which comes at a cost to the organization. Notably, the cost of a server license has increased since the release of Windows Server 2016, with licensing now based on a per core basis.
Hidden maintenance costs
Over and above the direct costs of commissioning ADFS, organizations also need to consider the ongoing operational costs of managing and maintaining an ADFS service. Trusts between AD domains need to be maintained by employees with deep technical skills and ADFS servers need to be patched, updated and backed up on a regular basis. In addition, since ADFS is a critical service, high availability is key. Depending on how it is configured, ADFS can cost more than anticipated: both directly as more infrastructure is required, and indirectly as complexity increases.
Commissioning, configuring, and maintaining an ADFS solution is not a simple undertaking. Furthermore, each time an application is added to an ADFS service the process is time-consuming and technically intricate, which hinders IT agility.
An out-of-the-box, standard install of ADFS is not as secure as it can be. In order to properly secure it, there are multiple steps that IT needs to perform. In addition, as ADFS runs on a Windows Server, that too needs to be hardened and secured to ensure the solution is not at risk.
ADFS vs. Cloud identity
There is no doubt ADFS does have some advantages that make it a popular choice for organizations looking for a federated identity solution. However, ADFS does have distinct disadvantages that cannot be ignored.
Third-party cloud-based identity services can possess features that match, and in some instances surpass, those of ADFS. Cloud identity solutions are more cost effective due to the lower operational overhead needed to run them; beyond that, they have built-in high availability and seamless integration with hundreds of applications. Okta provides secure cloud based identity solutions for its users—solutions that will not only solve authentication challenges, but that will also keep security consistently front-of-mind.