Active Directory Federation Services (ADFS) provides an identity federation solution for enterprises looking to share identity information with their partners securely. Using the trust policy for an AD Federation Service, you can manage your trust relationship with partners, and map partner claims to claims understood by your organization’s web applications.
By relying on partner claims to initiate web application sessions, the responsibility for partner account management is retained by the partner. The partner exactly knows when employees are hired or terminated, and shift roles internally. ADFS also enables federation partnerships to be managed centrally, reducing the headache of adding and removing partnerships.
ADFS also helps organizations share identity with partnerships using the same trust policy. When establishing a partnership to use another organization’s web applications, ADFS provides a central place to manage and audit the employee identity information that is shared with that partner.
Identity federation with ADFS offers solutions to a number of potential issues. Therefore, it is very important to know the 5 must-know benefits of ADFS, which are:
1. Secure Account Provisioning
Let’s look at an example. A partner organization has just hired a new employee and would like that employee to access web applications offered by your organization under the existing partnership agreement. Instead of requiring a new account managed by your organization, ADFS enables your organization to accept digitally signed claims from the partner organization. These claims from the partner organization can confirm that the requestor is indeed an employee of the partner.
2. Hassle-free Account Credential Management
With a new local account for the partner employee, you’d normally need to have some method of managing the credential they use, to authenticate. With ADFS, your organization no longer needs to revoke, change, or reset that credential, since the credential is managed by the partner organization.
3. Easy Account Management
Consider a scenario where an employee in a partner organization has a new role that requires access to a different set of your web apps. With ADFS, your partner always sends claims that reflect the employee’s current roles and permissions. Since ADFS allows you to use the partner’s claims to control access to your applications, the employee’s access is updated immediately.
4. Simplified Account Deactivation
What if an employee with access to partner resources is terminated? With ADFS, the employer can remove access for this employee across all other partner organizations. Without this functionality, the employer would have to contact each partner organization separately—and the ex-employee would continue to have access until this was accomplished. A big security threat was averted.
5. Effective Change Management
Imagine that a partner organization has started joining hands with your top rival. Your organization decides to end the partnership to avoid any further information disclosure. With ADFS, the termination of the partnership can be effected with just a single trust policy change. Without centralized partner management, individual accounts for each partner employee would need to be deactivated—a much lengthier and cumbersome process to execute.ADFS-enabled identity federation allows enterprises to share identities in an interoperable, standardized way while reducing the headaches involved in business-to-business partnering. In addition, the claims-based identity model supported by ADFS and the WS-* specifications represents an integral part of the Microsoft identity platform. The online documentation makes it easy for you to experiment with the technology and see how it can help to alleviate your identity management challenges.
Questions? Call us now at 510.668.0700 or email [email protected] for more information.
ADFS Consulting Services
- Setup ADFS On-Premises
- Federated SSO access to Office 365, SharePoint and Exchange.
- Federated SSO access to any web applications.
- Integration with Multi-factor Authentication.