AD

Please take a moment and help support this site by visiting our AD. Thank you for your support.

Wednesday, June 08, 2011

Using ActiveDirectory Federation Services for single sign-on

Web-based log-in and SharePoint-based sites create a need for a new system of trust, and ADFS could be the solution

You have developed a Web site that requires a log-in. However, rather than promoting your site to individuals who sign up and create their personal log-in, you promote the site to entire companies. A company with thousands of employees signs up to use your site and you are suddenly faced with the need to re-create thousands of accounts on your server. Users, when accessing the site, must perform the most frustrating task: logging in with a different account. You sit back and think, "There must be a better way."
Well, that is only one of many scenarios where people in one company need to access items in another company or have a single sign-on for another site, be it a SharePoint site or some other type that requires a log-in. Here is where it may be worth looking into ADFS (Active Directory Federation Services).


How ADFS works

Essentially, with ADFS, each company manages its own identities. But within a federated environment, each company can accept and provide permissions and/or access to identities from within another company. It all comes down to trust. The ability to trust accounts from one company without requiring a local account on your servers. This trust is called federated identity management and is the core behind ADFS. The biggest concern, logically, is security. All communication from one company's Active Directory to the other's ADFS is encrypted, and client access to through their browser is also encrypted using SSL.
It's important to mention that ADFS is only for Web-based applications (like SharePoint). It's really a solution only for allowing external business partners or clients to access your Web application, while still allowing the partner or client to manage their identities.
There are a few scenarios where you might use ADFS. One is the single sign-on where a person does have to log in one time through forms-based authentication, which will provide the users with a cookie that they can then use to access the rest of the site without having to provide repeat credentials. Another option is the identity federation option where they use their token from Active Directory to access the Web application without having to reauthenticate at all.

No comments:

Post a Comment