ADFS 2.0 Opens Doors to the Cloud

Microsoft Active Directory Federation Services (ADFS) 2.0, a key add-in to Windows Server 2008, was released in May. It promises to simplify secure authentication to multiple systems, as well as to the cloud-based Microsoft portfolio. In addition, the extended interoperability of ADFS 2.0 is expected to offer the same secure authentication now provided by other cloud providers, such as Inc., Google Inc. and Inc.
ADFS 2.0, formerly known as "Geneva Server," is the long-awaited extension to Microsoft Active Directory that provides claims-based federated identity management. By adding ADFS 2.0 to an existing AD deployment, IT can allow individuals to log in once to a Windows Server, and then use their credentials to sign into any other identity-aware systems or applications.
Because ADFS 2.0 is already built into the Microsoft cloud-services portfolio -- namely Business Productivity Online Suite (BPOS) and Windows Azure -- applications built for Windows Server can be ported to those services while maintaining the same levels of authentication and federated identity management.
"The bottom line is we're streamlining how access should work and how things like single sign-on should work from on-premises to the cloud," says John "J.G." Chirapurath, senior director in the Microsoft Identity and Security Business Group.
Unlike the first release, ADFS 2.0 supports the widely implemented Security Assertion Markup Language (SAML) 2.0 standard. Many third-party cloud services use SAML 2.0-based authentication; it's the key component in providing interoperability with other applications and cloud services.
"We look at federation and claims-based authentication and authorization as really critical components to the success and adoption of cloud-based services," says Kevin von Keyserling, president and CEO of Independence, Ohio-based Certified Security Solutions Inc. (CSS), a systems integrator and Microsoft Gold Certified Partner.
While ADFS 2.0 won't necessarily address all of the security issues that surround the movement of traditional systems and data to the cloud, by all accounts it removes a key barrier -- especially for applications such as SharePoint, and certainly for the gamut of applications. Many enterprises have expressed reluctance to use cloud services, such as Windows Azure, because of security concerns and the lack of control over authentication.

"Security [issues], particularly identity and the management of those identities, are perhaps the single biggest blockers in achieving that nirvana of cloud computing," Chirapurath says. "Just like e-mail led to the explosive use of Active Directory, Active Directory Federation Services will do the same for the cloud."
Because ADFS 2.0 is already built into Windows Azure, organizations can use claims-based digital tokens, or identity selectors, that will work with both Windows Server 2008 and the cloud-based Microsoft services, enabling hybrid cloud networks. The aim is to let a user authenticate seamlessly into Windows Server or Windows Azure and share those credentials with applications that can accept a SAML 2.0-based token.
Windows 7 and Windows Vista have built-in CardSpaces, which allow users to input their identifying information. Developers can also make their .NET applications identity-aware with Microsoft Windows Identity Foundation (WIF).
WIF provides the underlying framework of the Microsoft claims-based Identity Model. Implemented in the Windows Communication Foundation of the Microsoft .NET Framework, apps developed with WIF present authentication schema, such as identification attributes, roles, groups and policies, along with a means of managing those claims as tokens. Applications built by enterprise developers and ISVs based on WIF will also be able to accept these tokens.
Pass-through authentication in ADFS 2.0 is enabled by accepting tokens based on both the Web Services Federation (WSFED), WS-Trust and SAML standards. While Microsoft has long promoted WSFED, it only agreed to support the more widely adopted SAML spec 18 months ago.

More Here