Active Directory Federation Services (AD FS)

Active Directory Federation Services (AD FS) (2)

Active Directory Federation Services (AD FS) provides single sign-on (SSO) for employees across security and domain boundaries to access systems and applications through identity federation – an authentication process in which organizations share claims from verified users with external partners.

How MSPs Can Help Clients Implement (AD FS)?

This means fewer help desk password-reset calls and quicker deactivation of accounts when an employee departs. Furthermore, it enhances organizational efficiency by streamlining employee experience.

Single sign-on

AD FS allows employees to securely access applications and systems hosted on external servers using the same username and password they use for on-premise applications, reducing time spent entering credentials multiple times and increasing efficiency while decreasing security risks. While implementation can be complex and requires technical expertise, managed service providers (MSPs) present an opportunity for helping their clients implement and use this technology effectively.

An essential feature of Single Sign-on with AD FS is that login data never leaves its secure environment online – meaning hackers cannot gain access. To accomplish this, federation trusts are used to validate identities between two entities. A federation server acts as an intermediary, and clients connect directly to it using credentials they’ve had verified before connecting back. Once connected to it, this allows it to verify a user’s identity before passing the authentication token onto its target application or system.

SSO with AD FS makes adding new web applications and platforms to your company’s infrastructure easy, while increasing employee productivity by eliminating the need to log-in/logout of each app they use. In addition, SSO assists companies transitioning to cloud by synchronizing hashed passwords from on-prem applications with Azure Active Directory.

To enable SSO with your application, it is necessary to install the Microsoft Azure Federation Services plugin for your server. When installed, this plugin will create a trust between Azure AD and on-premises Active Directory as well as encrypt messages between servers for added protection.

Once the plugin is installed, you can use Azure portal to test and set up SSO. To do so, navigate to the app you wish to connect with AD FS, click its ellipses button, select “Set up a new connection,” and follow its prompts for completion of this process.

Once the plugin has been installed, AD FS SSO configuration in an Atlassian organization can begin. To do this, claims must be sent between both systems in an orderly fashion; two rules need to be added into your AD FS management console’s trust relying party trust: one mapping email/given name attributes of users to their Atlassian accounts while the other links name identifier of HubSpot instances back to UPN of users within your company database.


ADFS makes user authentication simpler by allowing users to access multiple applications, systems and assets using just one online credential; however, its technology does pose its own set of security risks that companies should mitigate through collaboration with a cybersecurity partner who will ensure both that ADFS is properly secured as well as other issues are properly addressed within their overall cybersecurity strategy.

First step to securing ADFS is ensuring its software is correctly configured, including placing all federation server computer objects in a top-level organizational unit (OU), restricting their on-network access via host firewalls, and making sure GPOs applied exclusively to them versus any other servers on-network. This prevents privilege escalation that could allow an attacker to steal token authentication certificates; to reduce theft risks further and renew before their expiration dates arrive, consider placing these certificates into hardware security modules to store them safely and renew them before their expiration dates arrive.

During authentication, WCF services use IdentityServerPolicy.ServiceStateSummary table in AD FS database to compare identity against an identity policy stored there. If that identity matches, WCF service returns message with information requested via HTTP connection channel on port 80 managed by AD FS servers and proxies managing traffic.

To lessen this threat, it’s prudent to restrict inbound communications on this port by altering the Windows Firewall rule that AD FS creates at installation and restricting this channel only for specific ports.

AD FS can also be protected using security tokens to authenticate users with both identity providers and service providers. This method eliminates the need to disclose login credentials online while increasing security by preventing hackers from gaining access to employees working remotely. Businesses looking to implement this solution should consult a managed services provider that provides IT security consulting to select suitable identity and access management solutions.


ADFS’ scalability is an invaluable feature of its use by organizations looking to authenticate users against other systems, enabling access to cloud-based applications or resources from across networks or organizations. ADFS utilizes WS-Federation and Security Assertion Markup Language (SAML) token-based authentication protocols in order to accomplish this feat, supporting Kerberos and SAML protocols as well as offering multiple Web Services security protocols like Kerberos and SAML token-based authentication tokens for token authentication tokens as Web Services security protocols that support Kerberos authentication token-based authentication token-based authentication token-based authentication token-based authentication mechanisms in order to achieve this feat.

ADFS uses SAML as the foundation of its authentication service to support third-party applications not created by Microsoft, including creating Relying Party Trusts between ADFS server and external apps to establish communication channels; RPTs include technical specifications for encryption methods, URLs, identifiers and claim rules in order to ensure only authenticated users can access web applications thereby increasing security and improving user experience.

When an account organization user attempts to access applications or resources in another network, they are routed back to their AD FS server for primary authentication. Once authenticated, this server verifies all identity data submitted by the user before providing an identifier token with all claimed identities to the target application or network allowing seamless transition between internal and external applications without needing to reenter credentials each time.

ADFS scaleability is limited by the capacity planning process, which involves estimating peak usage for sign-in requests and establishing how many federation servers are necessary. This requires close cooperation between IT and business teams.

AD FS is an effective SSO tool, but it may come at the expense of licensing and infrastructure costs associated with deployment as well as maintaining multiple federation servers. Furthermore, its scalability may not satisfy some enterprises.

Due to these advantages, many businesses opt for third-party SSO and Federation solutions instead of ADFS. Such solutions offer similar scalability at much more reasonable costs while offering robust integration across hundreds of apps.


AD FS allows organizations to authenticate users accessing applications hosted outside their organization, offering benefits like increased scalability and multifactor authentication methods, reduced password reset requests and freeing IT functions up to focus on higher value tasks. Unfortunately, AD FS implementation and maintenance isn’t without challenges: such as operational and maintenance costs, infrastructure investments and secure sockets layer (SSL) certificate costs.

To use AD FS, you must install a Windows Server with the Federation Server Role installed and add it to a domain that forms part of Active Directory forest. It should have its own certificate and be part of Administrators group; create service accounts to run this role – to do this, navigate to Specify New Service/gMSA Account page then either Select Create New Group Managed Service Account or Select Existing Group Managed Service Account respectively – before selecting either “Specify Existing Group Managed Service Account (gMSA Account)” page before choosing either option from “Specifying new Service/gMSA Account page or just create. Furthermore, specify which database on this server will store ADFS configuration database storage space (DB).

Once the initial installation has been completed, additional features can be configured on the Add feature-based installation page by selecting Role-based or feature-based installation and choosing a server from the server pool. Finally, click Next on this page before selecting Role-based or feature-based installation as required and selecting Restart Server Automatically as your final step if applicable by checking its box.

Once your AD FS deployment is complete, you can start configuring federated authentication between Egnyte and AD FS through the AD FS Management console. To do so, navigate to Tools > AD FS Management and in the Federation Service Identifier field type your Federation Server’s URL; relying parties use this URL to validate that your server exists – either through its metadata file or manually entering it yourself – in addition to providing your Token-Signing Certificate’s public key and click Finish once done to complete this process.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.