In the section titled “Configuring a
Claims Web Application” I briefly touched on federated authentication
within SharePoint via Trusted Identity Providers. In this section, we
shall explore the use of federated authentication, using Active
Directory Federated Services.
Active Directory Federated Services
Active Directory Federated Services is a
service provided by Microsoft to provide federated claims
authentication. ADFS uses the WS-Federation standard protocol and
returns secure tokens in Security Assertion Markup Language format.
Administrators may download ADFS from the
following link, install it, and configure it via a Microsoft Management
Console (MMC): www.microsoft.com/en-us/download/details.aspx?id=10909 .
Why would you be interested in federated
authentication and why ADFS? Although SharePoint is not strictly
federating authentication, since the platform is still authenticating
users, it has abstracted authentication via its own Secure Token
Service. ADFS brings true federated authentication because ADFS is a
separate service that any application can leverage, as long as it
supports WS-Federation and SAML. The following is a list of some of the
benefits that ADFS brings to your organization:
- Single-Sign-On (SSO): If ADFS is the
central hub for authentication of any application in the organization
then these applications can offer SSO. A user authenticates through one
application and ADFS generates a SAML token for the user. When the same
user attempts to authenticate via a different application—also using
ADFS—ADFS sends back the same token without prompting the user for
credentials because ADFS remembers the user (via cookie or NTLM token)
from the first authentication success.
- WS-* Interoperability: ADFS
interoperates with any system that supports WS-Federation and supports
the WS-* standards of other security-based services. Without ADFS,
applications on the Microsoft Windows Server platform must implement
claims authentication using the Windows Identity Framework to support
authentication federation. ADFS enables authentication federation for
applications that do not provide their own authentication federation
via WS-Federation protocols.
- Avoids Credential Management:
Using ADFS, you can allow users to authenticate with other claims-aware
applications (such as Windows Azure) and provide access for users of
these applications to your applications without having to manage
account credentials. Users maintain their own credentials via these
independent account providers, ADFS facilitates the authentication
process, and your applications only have to keep a record of unique
user identity (based on claims in SAML tokens) to identify an
authenticated user.
- Claims Mapping: ADFS understands claims
provided by federated providers and can map them into different claim
types in use in your organization.
- Extensible Architecture: ADFS supports
custom claims augmentation (associating claims with a user’s identity),
via custom extensions implemented by developers and third parties.
ADFS System Requirements
ADFS will install on all of the following Windows Server platforms:
- Windows Server 2008 Datacenter
- Windows Server 2008 Enterprise
- Windows Server 2008 R2
- Windows Server 2008 R2 Datacenter
- Windows Server 2008 R2 Enterprise
- Windows Server 2008 R2 Foundation
- Windows Server 2008 R2 Standard
- Windows Server 2008 Service Pack 2
- Windows Server 2008 Standard
- Windows Small Business Server 2008 Premium
- Windows Small Business Server 2008 Standard
ADFS requires the following software components installed to operate correctly:
- Internet Information Server (IIS) 7 or above
- .NET Framework 3.5 with Service Pack 1
- SQL Server 2005 (Express, Standard, or Enterprise) or SQL Server 2008 (Express, Standard, or Enterprise)
Install Certificate Authority
ADFS requires certificates to encrypt and
sign SAML tokens. In a production deployment, you would install
purchased certificates, signed by a trusted root certificate authority
such as VeriSign. However, for development and demonstration purposes,
we shall install Active Directory Certificate Services and create our
own Certification Authority for issuing ADFS certificates.
- Open the Windows control panel.
- Double-click the Program and Features icon.
- Click the link to turn Windows features on or off.
- Click Roles in the left navigation.
- If Active Directory Certificate Services is not installed, click the link to add a new role.
- Select the Active Directory Certificate Services role from the list (Figure 1), then click the Next button.
- Select Certification Authority and Certification Authority Web Enrollment services (Figure 2).
- Specify the CA type as Enterprise, click Next.
- Select Root CA and click Next.
- Create a new private key for the CA.
- Select the cryptography for the CA—SH1 with the size of 2048 is a good configuration.
- Give the CA a distinguished name. I chose the default name
provided, which the wizard determined by using the name of my domain
and server name, then click Next.
- On the confirmation dialog, click the Install button.
- Assuming no errors occurred, you should see an installation status dialog (Figure 3).
