What Is ADFS?

Identity and access management (IAM) tools have become more necessary than ever in today’s modern IT environment, especially with the number of people working remotely and the prevalence of digital threats looming around every corner. As the IAM market has evolved, many providers have struggled to keep up with the changing needs of organizations. Today, organizations rely on various combinations of legacy and cloud-based solutions to support critical processes while providing flexibility to their employees. 

On this basis, Microsoft unveiled Active Directory Federation Services (ADFS) as an add-on feature for the Windows Server operating system when these trends first started to appear in 2003. ADFS allows organizations to extend users’ single sign-on (SSO) access to resources outside of the enterprise’s firewall and across organizational boundaries. It provides organizations with the flexibility required to streamline the end-user experience while improving IT admins’ control over user accounts across owned and third-party applications. 

In this article, we’ll go over what ADFS is, how ADFS works, its use cases, and why the industry is moving away from add-on, siloed solutions like ADFS to more comprehensive cloud IAM solutions.

What Is ADFS?

ADFS is Microsoft’s on-prem SSO solution that authenticates users into applications that are incompatible with Active Directory (AD) and Integrated Windows Authentication (IWA). Microsoft released ADFS as an opportunity for many organizations that were taking advantage of the software-as-a-service (SaaS) boom of the 2000s. 

At the time, Microsoft was dominating the IT industry, and nearly all applications that organizations used were on-premise and Windows-based. This created authentication challenges for applications that were outside the Windows ecosystem and the organization’s perimeter. However, ADFS allows identity information to be securely shared outside of a company’s network, in order to access web-facing resources like web apps that were hosted by organizations they had established relationships with. 

In essence, it allows organizations to create a “trust relationship” between one another across the internet, complementing AD by extending identities in on-prem setups to cloud-based environments. It operates much like any web application-based SSO service that uses the Secure Assertion Markup Language (SAML) protocol. ADFS can also use cookies and other token standards such as JSON web tokens (JWT) to provide authentication services; however, it’s leveraged in on-prem setups rather than in the cloud. 

What Are the Different Parts of ADFS? 

ADFS is comprised of four primary components:

• Active Directory. This is where ADFS’s identity information gets stored. ADFS extends AD’s information beyond the enterprise’s network. This allows users to access Windows-based and third-party applications while outside of corporate networks.
• Federation server. It manages federated trusts between business partners by issuing security tokens. The federation server processes authentication requests from external users and issues out security tokens for claims based on credentials stored in AD. 
• Federation server proxy. This is deployed on the organization’s extranet and links external users and the federation server. This way, the federation server does not get exposed directly to the internet in order to prevent security risks. 
• ADFS web server. It hosts the ADFS Web Agent, a service that either allows or denies a user access to web applications based on authentication cookies and security tokens sent to it. 

How Does ADFS Work?

ADFS uses a claim-based authentication, which verifies a user from a set of “claims” about their identity from a trusted token. ADFS then gives users a single prompt for SSO, allowing them to access multiple applications and systems even if they reside on different networks. 

In ADFS, two organizations establish identity federation by confirming trust between two security realms. A federation server in one organization authenticates a user through the standard Active Directory Domain Services (AD DS). The AD DS then issues a token consisting of a series of claims about the user, including their identity in the organization. 

On the other side of the organization (resources side), another federation server confirms the tokens and provides another token to allow local servers to accept the claimed identity. This enables the system to provide controlled access to its resources without requiring a user to authenticate directly to the application. 

The diagram below summarizes the workflow for ADFS-based systems:

Why Do Organizations Use ADFS?

Before 2003, organizations had been largely using AD and IWA to manage end-user access to corporate resources. As remote access and cloud-based services became more popular, it was apparent that AD and IWA could not cope with modern authentications. This was because users in such environments often want to access applications that are not company-owned such as SaaS and web applications.

ADFS resolved and simplified third-party authentication challenges, allowing organizations to better manage access to resources in an evolving workplace. With ADFS, users got authenticated to all the approved third-party systems and applications once they logged in with their Windows credentials. 

Because of the SSO feature, users didn’t have to remember unfamiliar and disparate account credentials when accessing SaaS and web applications. Besides users, ADFS also provides benefits to IT administrators and developers alike. For example, IT administrators could largely maintain their existing AD setup, especially if other aspects of their environment were still largely on-prem and Windows-based. 

This allowed them to have complete visibility over their digital identities. ADFS also provided developers with a simple approach to authenticate users via identities in the organization’s directory, allowing them to focus on more productive tasks. 

What are the Limitations of ADFS?

Although ADFS became popular when AD was the primary directory service being used and IT environments were all Windows-based, it comes with some problems and limitations that can’t be ignored.

Although ADFS is a free feature on Windows Server operating systems, commissioning it requires a license and a server to host the federation services. This can be costly to an organization. Not only do you need to consider the costs of end user Client Access Licenses (CALs), but you also need to remember that ever since Microsoft launched Windows Server 2016, the server licensing cost has increased, which is now based on a per-core basis. On top of cost issues, ADFS doesn’t provide the required flexibility for organizations that have a mixed IT environment (i.e., anything more than Windows-based resources). 

To remain competitive in today’s environment, IAM and SSO tools need to connect users to as many of their IT resources as possible, regardless of their platform, provider, location, or protocol. No one wants to employ, pay for, or manage multiple disparate solutions that still don’t fully handle identity and access management, and the industry is moving away from web app SSO point solutions like ADFS to those that are fully integrated into more comprehensive IAM platforms.

By sticking with ADFS, organizations essentially lock themselves into a Windows-based ecosystem plus a few SaaS solutions. Because Microsoft is no longer the only player in the IT industry, organizations can unify their identity management only when they venture outside of the Microsoft ecosystem.

Modernize Your Infrastructure with JumpCloud

Leveraging a tool such as the JumpCloud Directory Platform can help organizations streamline identity management in heterogeneous environments. Migration from ADFS to JumpCloud is also a straightforward process. JumpCloud can be used as a complete cloud extension for AD and an identity bridge to non-Windows resources such as Linux and macOS or as a fully functional, modern replacement for AD.

JumpCloud offers a complete cloud IAM platform with True SSO^TM capabilities that allow users to securely and efficiently connect to virtually any IT resource via SSO — think Mac, Windows, and Linux devices, Wi-Fi networks, VPNs, cloud and legacy apps, physical and virtual file servers, and more.

Try JumpCloud’s Solution Free

Test out JumpCloud’s modern, simplified IAM solution with True SSO, and see if it’s right for your organization! Start a trial of JumpCloud to access the entirety of the platform for free.