ADFS (Active Directory Federation Services) is an SSO solution created by Microsoft to authenticate users logging into applications which are incompatible with Integrated Windows Authentication (IWA) and Active Directory (AD).
ADFS provides organizations with the flexibility needed to simplify the user experience while improving the control that admins have over user accounts across owned as well as third-party applications. Since ADFS implements SSO, your employees are required to remember only one set of credentials for all the applications.
How it works
With ADFS, authentication is managed using a proxy server which is hosted between the AD and the target application. It operates based on federated trust – users can access an application through SSO without being required to authenticate their identity on the target application.
- The ADFS service provides the user with a URL
- The user is then authenticated via your organization’s AD service
- Once authenticated, the user is provided with an authentication claim
- The authentication claim is forwarded to the target application, which grants or denies access based on the established premise of the federated trust service
Why ADFS is important
ADFS was created to overcome the limitations that come with authentication methods used by ADs to allow users to connect with third-party integrations. For modern workplaces which require seamless connectivity with applications which are not owned or managed by the organization, ADFS delivers a distinct advantage. Companies simply have to establish a federated trust link with third-party applications and ADFS can act as a unified authenticator for owned as well as third-party applications.
Problems with ADFS
While ADFS comes as an efficient solution for authenticating users for integrated applications, it does have its fair share of drawbacks.
ADFS comes as a free feature with Windows Server, but the commissioning of ADFS requires a server license which is charged per core.
In addition to this direct cost, the management of ADFS servers can also increase the operational costs incurred by your organization. The federation trust links between the applications have to be maintained with utmost care by employees with a high level of technical skill. Also, since ADFS is a critical service, high availability is key. In addition, the infrastructure required to maintain and patch ADFS servers can be expensive.
The time-consuming and complex nature of configuring the ADFS service with the addition of every application can hinder operational flow and IT agility in your organization. The process is also technically intricate and requires experienced professionals to carry it out.
Using ADFS services right off the shelf can come with its own security risks. The ADFS as well as the Windows Server that the service runs on, would require further strengthening of security.
As much as the ADFS has significantly enhanced authentication across the networks and third-party applications of organizations, it would be advisable to take into account the drawbacks discussed above. If you are interested in using ADFS services or enhance your existing authentication services, Akku – the Identity and Access Management Solution – can help you get there. To know more, get in touch with us now.