What is Federation Trust in ADFS

In this blog we will learn what is federation trust in ADFS, how federation trust works in ADFS, we will talk about Claims, Identity Provider, Security Token Service, Claims Provider, Relying Party, and much more.

In the previous article we learnt what is ADFS (Active Directory Federation Services), how ADFS works, what is claims-based identity model, and what is the difference between Active Directory and ADFS.

Watch video

Watch this video to learn what is ADFS federation trust and how does it work. Join our YouTube channel for more video on Cloud technologies.

Important concepts in ADFS

Let’s understand few terms that I will be using throughout this ADFS series.

What is Claim in ADFS

A claim is a piece of identity information. It could be display name, email address, or department attribute of a user account. All these Active Directory attributes are called claims in ADFS.

What is Security Token Service

Security Token Service (STS) issues the tokens. It’s job is to issue security tokens to the applications. For example, when you login to portal.office.com, you are redirected to login.microsoftonline.com which is the Security Token Service for portal.office.com. ADFS is also a Security Token Service or STS.

What is Claims Provider

Claims provider is a service that issues claims during the sign-in process. An example of claims provider is Active Directory.

What is Identity Provider

Identity Provider provides the single sign-on functionality between an organization and the application. An example of Identity Provider is ADFS.

What is Relying Party

Relying party is the organization that is hosting the application. Relying party consumes the tokens those are issued by the ADFS server.

What is Federation Trust in ADFS

Let’s consider an example to understand federation trust in ADFS.

adfs federation trust

Let’s say you are going to board a plane. When you enter to the main gate of the airport, you need to show your ID proof. An ID proof can be your driving license or a passport. Once you show your ID proof, you go to the ticket counter from where you get the boarding pass. And once you get the boarding pass, you will go to the boarding gate and will board the flight.

But the question arises, why airport authority should let you enter inside the airport on the basis of your ID proof? Why should they trust your driving license or the passport?

Answer: You got the driving license from the Department of Public Safety, you show your driving license to the security guard and you get access to the airport. Because there is a trust between the Department of Public Safety and the airport. Because of this trust you can get access to the airport premises by showing your ID proof.

How Federation Trust works in ADFS

federation trust in ADFS
  1. In ADFS, when a user tries to access an application that is hosted in another organization, he is asked to prove his identity.
  2. User will go to his identity provider (Active Directory) and Identity provider will issue a token to the user.
  3. User will provide that token to the resource provider.
  4. Resource provider will issue another token to the user.
  5. User will provide that token to the application.
  6. User will get access to the application.

But again questions arises, why would resource provider should trust this user. Why resource provider organization should trust the token that is sent from the identity provider? Because there is a trust between 2 organizations.

One important thing that we need to notice in above example is, that entire communication that is being done among user, identity provider, and the resource provider is handled by the user itself.

In ADFS, entire communication is handled by the client machine. Identity provider do not directly contact resource provider. The client machine will contact identity provider for authentication, client machine will forward the token to the resource provider, then client machine will receive token from the resource provider, and will forward that token to the application. In this way, we are reducing the load on the server. Entire load is taken by the client machine.

Conclusion

In this blog we learnt what is claim in ADFS, what is identity provider, what is Security Token Service (STS), what is relying party, we learnt what is federation trust in ADFS and how federation trust works in ADFS.

Found this article helpful and informative? You might like What is ADFS. Please share this article within your community and join our Newsletter for early blogs and updates.

Happy Learning!!