Active Directory Federation Services (AD FS)
AD FS is a Microsoft server role for federated authentication and single sign-on that issues claims-based tokens to transfer identity between Active Directory and external applications.
Classification
- ComplexityHigh
- Impact areaTechnical
- Decision typeTechnical
- Organizational maturityAdvanced
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Misconfigured claims can lead to unintended access
- Failure of AD FS infrastructure impacts authentication
- Insecure certificate handling increases attack surface
- Introduce automated certificate rotation and monitoring
- Apply claims transformations deliberately and document them
- Use highly available farm topologies and perform DR tests regularly
I/O & resources
- Active Directory domain controllers
- Valid certificates for token signing
- Network and DNS configuration
- Claims-based security tokens
- Established trust relationships to partners/apps
- Audit and authentication logs
Description
Active Directory Federation Services (AD FS) is a Microsoft server role offering federated authentication and single sign-on. It securely issues claims-based tokens to transfer identity between Active Directory and external applications. Administrators configure trust relationships, certificates and claim rules to adapt authentication flows to enterprise and hybrid scenarios.
✔Benefits
- Enables single sign-on and improves user experience
- Supports federation with partners and cloud services
- Fine-grained access control via claims
✖Limitations
- Strong coupling to Microsoft ecosystem and Active Directory
- Complex certificate and trust management
- Operation and scaling require specialized expertise
Trade-offs
Metrics
- Authentication latency
Time from authentication request to successful token issuance.
- Availability rate of the AD FS farm
Percentage of uptime within a defined period.
- Number of failed authentications
Number of failed authentication attempts, relevant for security and troubleshooting.
Examples & implementations
SSO for internal CRM
AD FS was used to provide employees with seamless access to the CRM system without repeated logins.
Federation with external supplier
A trust relationship enabled suppliers to access required portals using their corporate identity.
Hybrid sign-on for Office apps
On-premises AD and cloud apps were connected via AD FS to continue using existing policies.
Implementation steps
Plan infrastructure, high availability and trust topology
Install AD FS role on designated servers
Configure certificates, claim rules and trust relationships
Test authentication flows and set up monitoring
⚠️ Technical debt & bottlenecks
Technical debt
- Legacy claim rules without documentation
- Manual certificate management instead of automation
- Insufficient monitoring and alerting rules
Known bottlenecks
Misuse examples
- Using AD FS as sole user store without delegating to AD
- Public exposure of trust endpoints without protection
- Sharing claim attributes with third parties without privacy review
Typical traps
- Underestimating certificate lifecycles
- Lack of tests for external partner federations
- Incomplete logging configuration for audits
Required skills
Architectural drivers
Constraints
- • Dependency on Active Directory structure
- • Compliance with certificate and security policies
- • Limited native cloud integration without additional components