Microsoft Architecture for Identity and Access Management (IAM) - Part 2 - Federation
Federation has become one of many standards applied to Single Sign-On (SSO) by organizations; this would include locally hosted claims-aware applications and third-party cloud claims-aware applications. Microsoft supports Federation through Active Directory Federation Services 2.0 (ADFS 2.0), which is included with the purchase of Windows Server 2008 R2.
ADFS 2.0 provides the Security Token Service (STS) that can provide different claims formats, including SAML 2.0 and WS Federation. ADFS 2.0 by itself allows for Federation against a single domain or single Active Directory forest without trusts built to multiple domains or forests.
The architecture illustrated above represents the more common scenario I see with clients today, where a single domain or forest is not the true representation of the client’s needs. Quite often, forest trusts are not permitted nor created to support the security requirements internal to the organization. Optimal IdM’s Virtual Identity Server (VIS) allows for authentication across multiple domains and forests, meaning authentication is not limited to Active Directory environments. VIS provides the capability to reach out to other LDAP or database systems for authentication.
Configuring ADFS 2.0 to support/trust the STS provided by VIS Federation completes this cycle for authentication.
There are two types of claims augmentation:
- Simple Claims – basic attribute mapping; for example, mapping the display name field from source A to application B
- Complex Claims – aggregation of attributes into a single claim for the target application
ADFS 2.0 can provide claims augmentation, simple claims and complex claims. Simple claims augmentation can be accomplished through mapping to Active Directory attributes. Complex claims augmentation must be done through scripting and a SQL Server backend to support the complex claims.
Through the use of Optimal IdM’s Virtual Identity Server, complex claims augmentation can be provided by the aggregation attributes into a single attribute with VIS’s attribute mapping capabilities to provide a complex claim by then doing a simple claim-mapping of attributes in VIS to the claim necessary for Federation within ADFS 2.0.
The advantage of this solution is that it easily configures ADFS 2.0 and claims augmentation to single attributes within VIS, which then allows for attribute-mapping from any supported data source for those attributes. This could include Active Directory, LDAP, Oracle, SQL or any other authoritative source of user identity data.
The use of ADFS 2.0 and VIS in the Microsoft architecture illustrated gives flexibility and scalability to the solution when Federation is a necessary component. The client gets the flexibility to support multiple providers to identity data in the claims augmentation process. In addition, the client achieves the scalability to support authentication across multiple systems and not be limited to a single Active Directory domain or forest due to potential security risks defined by the organization.