Home > Active Directory Services / Federation / Identy & Access, Office 365 / Online Services / BPOS > Active Directory Federation Services 2.0: Is it right for you?

Active Directory Federation Services 2.0: Is it right for you?

August 16, 2011

Active Directory Federation Services 2.0: Is it right for you?.

ADFS can be useful in federating directories between your organization and another organization to reduce Identity and Access Management headaches.

Prior to ADFS (or its previous incarnations), many organizations deployed a ‘separate’ Active Directory implementation, perhaps in their DMZ for less-trusted systems or to act as an extranet authentication and authorization for third parties that are coming in to consume services. The big challenge here is becoming an accounts administrator for extranet users (which may start as a “small 100 user pilot” that rapidly expands, as we’ve all experienced); when they need their password reset, when they have a new employee to be added, they have to call you to get it done. The other big concern here is around de-provisioning of users; do all of your extranet partners call you when they terminate an employee? You could potentially have a nasty security incident on your hands if a disgruntled employee still has access via the extranet.

Active Directory Federation Services does what it sounds like – it federates Directory A with Directory B to allow for mutually agreed upon authorization, authentication and access control decisions to be made. It allows for a more seamless experience for the user; they are able to manage (and remember) one set of credentials for access to multiple systems. This is also a lot easier on the administrator(s) as they can easily control access and set ACLs based on one set of credentials without getting lost in the overly complex task of managing users and groups, mapping which users should belong to which groups and which account (there may be several per person in different directory instances) the person is authenticating with.

%d bloggers like this: