Balancing user experience and strong security policies can be difficult, particularly in today’s hyperconnected world. Making it easy for employees and users to access your system is the goal, but it shouldn’t come at the cost of best-in-class security.

This is where Active Directory Federation Service (ADFS) can strike the right balance. It’s an add-on feature from Microsoft for the Windows Server operating system and works as a single sign-on (SSO) solution.

Simplicity, improved user experience, and operational efficiencies are some of the drawcards of ADFS. But there are significant infrastructure and maintenance costs to budget for along with technical limitations that can hold your business back.

Active Directory Federation Services (a.k.a ADFS) is a single sign-on solution (SSO) created by Microsoft. It runs on Windows Server operating systems to provide users with authenticated access to applications that are not capable of using other authentication protocols.

ADFS offer flexibility for organizations by giving them the ability to control employees’ level of access while also making the user experience easier. With ADFS, you’ll only need to remember one set of credentials to access many applications and information through single sign-on.

ADFS is built on four key elements that all play an important role in providing a secure federation solution:

• Active Directory: This is where the identity information gets stored, allowing users to access Windows-based and third-party applications while outside a corporate network.
• Federation server: Responsible for authenticating users and issuing security tokens, this specific type of server processes authentication requests from external users and issues security tokens for claims based on credentials stored in the active directory.
• Federation Server Proxy: Acts as a gateway between the internal network and the internet. The federation server will never be directly exposed to the internet to prevent security breaches, so this element acts as an extra layer of security.
• ADFS Web Server: This hosts the ADFS web agent, which manages security tokens as well as authentication cookies it sends to enable authentication.

ADFS manages authentication through a proxy service hosted between AD (Active Directory) and the target application. It acts as the middleman between the target application and the resource using a Federated Trust, linking ADFS and the target application to grant access to users.

You’ll be able to log on to the Federated application through SSO without needing to authenticate your identification directly on the application or platform, either.

ADFS looks a bit different for each platform but generally follows these key steps:

1. The user requests to log in
2. The website asks for an authentication token. Then, the user is then redirected to the ADFS login page.
3. The ADFS verifies the credentials given in AD and if successful, AD issues an authentication claim.
4. The claim is then handed over to the user and the redirection link to the target application or resource. The claim has no traditional username or password and instead holds a piece of personal information like first name, last name, or email.
5. The target application or resource accepts the claim granting the user access.

ADFS aims to overcome the authentication challenges created by AD (Active Directory) in the online world. It exists to simplify the third-party authentication process but comes with its own set of benefits and drawbacks.

ADFS solves the problem of users who need to access AD-integrated applications while working remotely, offering a flexible solution where you can authenticate your identity using your standard organizational AD credentials via the web.

It allows users from one organization to access the applications of another organization beyond the realm of their AD domain and provides a centralized place for employee information to be stored, making it easy to share with verified partners.

ADFS provides several benefits for organizations that need to authenticate users and provide them with access to resources from outside an owned, secure network.

Aside from the most obvious benefit (no need to re-enter your credentials again and again), ADFS offers solutions for a number of potential issues, both at an individual and company level.

SSO processes like ADFS allow for:

• Secure account provisioning: ADFS enables the organization to accept digitally signed claims to verify identity, rather than creating an entirely new account. ADFS can verify the user’s identity quickly and will notify the partner organization which will quickly grant the user easy access.
• Stress-free account credential management: With ADFS your organization no longer needs to revoke, change or reset any credentials since these logins are handled by the partner organization. An added bonus is always that there are fewer passwords to remember for users, too.
• Easy account management: With ADFS, your partner always sends claims that reflect the employee’s current roles and permissions. Since ADFS allows you to use the partner’s claims to control access to your applications, the employee’s access is updated immediately.
• Effective change management: With ADFS, effective change management is as easy as a single trust policy change. Want to completely change who has authorization? ADFS will make this process stress-free.

Despite its benefits, ADSF does have its drawbacks and limitations:

• Costly to implement and maintain: While it is technically a free solution, with no additional licensing costs if you’re already paying for the Windows server, you still have to account for setting up on-premise SSO servers made for high availability and use outside of corporate firewalls, resulting in unforeseen expenses. You also have to factor in ongoing maintenance costs, infrastructure maintenance, and more, which can add up.
• Complex to set up: ADFS requires multiple hardware components and a variety of different applications to meet SSO requirements. Plus, it requires extensive configuration and a high level of maintenance, too.

Three hardware components are necessary for ADFS to work, these include

1. The ADFS server.
2. The federation service proxy - this is the service installed between the ADFS server farm and external resources.
3. The ADFS configuration database.

All these components require customized development, and a significant amount of commitment to understand, deploy and configure. Additionally, ADFS doesn’t have a user-friendly portal for managing identities and authentication policies so adding anything to the system is complex and time-consuming.

• The ADFS server can become a target for cybersecurity attacks and data breaches: As more organizations switch to cloud-based solutions ADFS is becoming a common target for cyber attacks. While it isn’t inherently insecure, the complexities involved with the setup leave it vulnerable to security breaches if anything is slightly amiss.
• It doesn’t allow file sharing: As cloud-based solutions and remote work become mainstream, employees will naturally need work drives and print servers to be converted to shared folders online. While ADFS extends identities beyond the corporate wall, it will not allow users to access shared files and print servers.
• ADFS does not support complex IT landscapes: Modern devices and other IT resources provide organizations with a multitude of different benefits via an enhanced user experience. What was once an industry dominated by Windows is now an industry that has such a heterogeneous landscape and unfortunately, ADFS isn’t equipped to deploy and control many of these different resources.

Organizations are moving away from on-premise solutions to cloud-based security. This means the way identity and access management are handled is still evolving. Software that has previously been used for SSO access isn’t a good fit for the current IT climate where most of the population now works remotely, using multiple devices.

This is where the biggest limitation of all comes in: you need to have access to the physical server to access ADFS.

If for any reason the server is inaccessible you won’t be able to use the ADFS system. For optimal security, the best approach to take would be migrating away and looking at a different system.

For example, Azure AD is a cloud-based identity and access management service that ultimately will become cheaper and easier to maintain over time, as well as offering a higher level of security which will eliminate a high risk of cyber attacks.

There is no doubt that ADFS offers its own advantages, which makes it a popular choice for organizations that are looking for a federated identity solution. However, the disadvantages of this system shouldn’t be glossed over.

Moving towards cloud-based solutions is not only more cost-effective, but they also offer higher availability and support in hybrid and remote working environments.

See how Kinde compares to other authentication providers.