What is Single Sign-On (SSO)?
SSO is an authentication method that requires single user Id/password for a user to authenticate multiple web applications, systems or partner websites.
Why do we need SSO?
Prior to SSO, a user needed separate user id/password to authenticate each application. That was quite time consuming and costly for organizations to maintain the authentication server and environment. Hence the need for an SSO became essential.
SSO is useful for enterprise organization where multiple applications are running.
Identity Federation
For the setup of SSO environment, we need an identity federation server that generates authentication ticket or a token for the user to pass all the trusted IT systems or organizations.
By use of identity federation, we can reduce the server and environment cost of proprietary solutions.
It can increase security and lower the risk to identify and authenticate a user, and then use that identity across multiple systems including that of external partner websites. It facilitates the privacy of the user and shares limited information; also improves user experience by eliminating new account registration through cross-domain single sign on. Now a day, several federation technologies have been developed to exchange identity information.
Active Directory Federation Services is an example of these federation technologies.
Active Directory Federation Services
An active directory federation service is a software component developed by Microsoft. This first came into existence with Windows Server 2003 R2, ADFS 1.0. Previously it was called as the Geneva Framework.
Active Directory Federation Service provides a scalable, secure, reliable and also extensible identity federation solution. For both Windows, identity foundation based claim-aware application/claim based service and SAML token; it supports various client authentication methods such as Kerberos, X.509 and user name/password. It also supports different identity stores such as Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) and SQL server.
With use of WIF federation ADFS convert Asp.net, SharePoint applications in SSO. And through SAML token ADFS can integrate with federation services i.e. Microsoft Office 365, IBM Tivoli Federated Identity Manager, Windows Azure Application, Ping Identity PingFederate, Shibboleth Federation, Oracle Identity Federation, CA site minder Federation etc.
New feature of ADFS
ADFS provides following new features with windows server 2012 R2
- Cloud computing
- Setting Up Windows Intune/ConfigMgr 2012 R2 with ADFS On-Prem and Azure
- Enrolling the Different Device Types in Intune (Windows Phone, Android, iOS)
- Custom Attribute Store