Skip to main content

Microsoft Architecture for Identity & Access Management (IAM) - Part 2 - Federation

October 22, 2012

Federation has become one of many standards applied to Single Sign-On (SSO) by organizations; this would include locally hosted claims-aware applications and third-party cloud claims-aware applications. Microsoft supports Federation through Active Directory Federation Services 2.0 (ADFS 2.0), which is included with the purchase of Windows Server 2008 R2.

IAM Architecture


ADFS 2.0 provides the Security Token Service (STS) that can provide different claims formats, including SAML 2.0 and WS Federation. ADFS 2.0 by itself allows for Federation against a single domain or single Active Directory forest without trusts built to multiple domains or forests.

The architecture illustrated above represents the more common scenario I see with clients today, where a single domain or forest is not the true representation of the client’s needs. Quite often, forest trusts are not permitted nor created to support the security requirements internal to the organization. Optimal IdM’s Virtual Identity Server (VIS) allows for authentication across multiple domains and forests, meaning authentication is not limited to Active Directory environments.  VIS provides the capability to reach out to other LDAP or database systems for authentication.

Configuring ADFS 2.0 to support/trust the STS provided by VIS Federation completes this cycle for authentication.

Claims Augmentation

There are two types of claims augmentation:

  • Simple Claims – basic attribute mapping; for example, mapping the display name field from source A to application B
  • Complex Claims – aggregation of attributes into a single claim for the target application

ADFS 2.0 can provide claims augmentation, simple claims and complex claims. Simple claims augmentation can be accomplished through mapping to Active Directory attributes. Complex claims augmentation must be done through scripting and a SQL Server backend to support the complex claims.

Through the use of Optimal IdM’s Virtual Identity Server, complex claims augmentation can be provided by the aggregation attributes into a single attribute with VIS’s attribute mapping capabilities to provide a complex claim by then doing a simple claim-mapping of attributes in VIS to the claim necessary for Federation within ADFS 2.0.

The advantage of this solution is that it easily configures ADFS 2.0 and claims augmentation to single attributes within VIS, which then allows for attribute-mapping from any supported data source for those attributes. This could include Active Directory, LDAP, Oracle, SQL or any other authoritative source of user identity data.


The use of ADFS 2.0 and VIS in the Microsoft architecture illustrated gives flexibility and scalability to the solution when Federation is a necessary component. The client gets the flexibility to support multiple providers to identity data in the claims augmentation process. In addition, the client achieves the scalability to support authentication across multiple systems and not be limited to a single Active Directory domain or forest due to potential security risks defined by the organization.

Back to Part 1

Related Blogs

September 05, 2012

Microsoft Architecture for Identity & Access Management (IAM) - Part 1 - Overview

For the past year and a half, Microsoft has created and gone to market with a suite of products that allow for Identity and Access Management (IAM) ar...

See Details

January 13, 2016

I Want the Cloud, But Where Do I Start?

… It is a question many admins and technology professionals are starting to ask. Well, to be fair, as long as ‘The Cloud’ has been a buzzword, people...

See Details

December 23, 2013

Are You On Cloud Nine Yet?

CIOs and CTOs looking to reduce costs, drive innovation and maintain a strategic advantage over their competitors can’t afford to overlook the cloud. ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

January 26, 2018

Identity and Access Management Solutions

We help you minimize risk and maximize efficiency with our IAM solutions.

See Details

February 04, 2016

Third-Party Risk Assessment | Optiv

Reduce your information risk through better vendor management.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.