Free Demo Contact
ADFS

ADFS

ADFS, or Active Directory Federation Services, is a Microsoft solution that complements Active Directory (AD). Active Directory is a directory that, by default, handles authentication and Single Sign-On (SSO) for connected on-premises systems. ADFS also allows you to use Active Directory to authenticate cloud applications, including Single Sign-On.

What is ADFS?

Active Directory is a directory service used to manage users, groups, devices, and policies. Using that data, the platform performs user authentication with protocols such as Kerberos or NTLM. It does this for on-premises systems within your own network domain, and it also manages access to, for example, file shares and printers.

Most organizations operate in a hybrid model, using both on-premises systems and cloud applications. In most cases, they also want to configure and manage user authentication for those cloud applications themselves. The cloud application in question must therefore delegate authentication to an organization-owned system. This is called federation, and it requires a trust relationship between the cloud application and the organization's authentication platform.

Active Directory is not designed for that by default, which is why a separate federation server was developed. That is ADFS. It is an on-premises platform that provides federation and SSO functionality on top of Active Directory. ADFS SSO uses data from Active Directory and then performs authentication using modern standards such as SAML (Security Assertion Markup Language) and OIDC (OpenID Connect).

How Does ADFS Work?

The following example shows how ADFS authentication works. Suppose you work at a company that uses both on-premises and cloud applications. The following is a common scenario:

  • You start your workday by turning on your computer and signing in with your Active Directory credentials. This is usually a username and a password. Your credentials have been verified in the systems, and you are signed in to the corporate network.

  • You now automatically gain access to internal business applications for which you are authorized. With the IWA (Integrated Windows Authentication) application, your identity is automatically verified. Because you are already signed in to Active Directory, you do not need to re-enter your credentials.

  • If you want to sign in to a cloud application such as Salesforce, the application recognizes that the organization uses ADFS. Your access request is routed to the ADFS server. Through the IWA application mentioned earlier, the server recognizes that you are already signed in, so you do not need to sign in again.

  • ADFS then sends a token containing the user's identity data to the cloud application. The cloud application validates the token and automatically grants access. Thanks to this ADFS authentication, the user experiences seamless Single Sign-On.

Why Should an Organization Use ADFS?

If your organization uses both on-premises and cloud applications, there are roughly two methods to harmonize authentication and SSO for both types of applications:

  • If you want to manage authentication fully on premises, you combine Active Directory and ADFS. Both systems are linked and remain within your own IT domain. Your local systems sign in through Active Directory, and you use ADFS for authentication to cloud systems.

  • The alternative is to use Entra ID (formerly Azure AD) alongside the local Active Directory, which is Microsoft's cloud-based identity provider. Active Directory authenticates users on systems within the internal network, and authentication to cloud applications is performed with Entra ID. The authentication data is synchronized between Active Directory and Entra ID for that purpose.

What are the Advantages of ADFS?

Many organizations today choose the combination of Active Directory and Entra ID. There are still advantages to the more traditional approach with an ADFS integration. This is often preferred when organizations still have many on-premises systems and also handle IT operations fully in-house. Organizations sometimes choose ADFS when they want the flexibility to customize. Information security can be another consideration. In the collaboration between Active Directory and Entra ID, sign-in data must be synchronized, and, for example, password hashes are stored in the cloud.

What are the Disadvantages of ADFS?

However, ADFS also has disadvantages. ADFS is an on-premises solution that increases complexity, costs, and administrative overhead. You must manage servers, certificates, load balancers, and update management yourself. Agility is lower because you must implement innovations, such as passwordless sign-in, yourself; you cannot benefit from developments in Entra ID, for example. Availability can also be an issue. If ADFS experiences an outage, users cannot sign in to their cloud applications. Because of these disadvantages, organizations increasingly choose a hybrid solution with Active Directory and Entra ID.

ADFS and HelloID

When does an IAM solution such as HelloID interact with ADFS? Broadly, there are two scenarios:

HelloID Access Management

The HelloID Access Management module provides its own built-in identity provider and can also integrate with third-party directories and identity providers. Examples include Active Directory, Entra ID, ADFS, Google Workspace, or Salesforce. In hybrid IT environments with multiple applications and data sharing, an organization often uses multiple identity providers, and HelloID can streamline collaboration across them. This is explained further in this blog.

Specifically in hybrid Microsoft environments, you need, in addition to Active Directory for local systems, a federated connection to cloud applications. ADFS provides this addition, but, as explained, it is a complex and now-dated solution. Entra ID is an obvious alternative, especially if Microsoft 365 and other Microsoft cloud services are used. However, if an organization primarily uses other, non-Microsoft, cloud services, HelloID is often an excellent alternative to ADFS.

HelloID Provisioning, Service Automation, and Governance

At the same time, many organizations handle access management, meaning everything related to authentication, federation, SSO, and MFA, independently outside the IAM environment. They often rely heavily on Microsoft systems and, depending on specific circumstances and requirements, use Active Directory, Entra ID, and sometimes ADFS.

They typically still use an IAM environment, such as HelloID, for overall provisioning and managing all required accounts and permissions. The Microsoft systems then serve as target systems in which HelloID creates and manages accounts and other settings. HelloID offers many standard connectors for target systems, including Active Directory and Entra ID, which can be configured easily. This allows you to automate provisioning and ongoing management of digital identities with HelloID, regardless of the specific federation mechanism, whether via AD to Entra ID or AD to ADFS.

Related Articles

What is an ADFS integration?

An ADFS integration is a connection between an application and Active Directory Federation Services. It allows users to sign in to cloud applications through Single Sign-On. This enables secure and user-friendly authentication.

What does ADFS mean?

ADFS stands for Active Directory Federation Services, a Microsoft technology that enables organizations to use Single Sign-On (SSO), both internally and in the cloud.

What does ADFS do?

ADFS (Active Directory Federation Services) is an application that is linked to Active Directory. This allows you to use on-premises AD data to provide Single Sign-On (SSO) to applications outside the corporate network.