In-Depth

ADFS 2.0 Opens Doors to the Cloud

The new Microsoft Active Directory Federation Services release promises to up the ante on cloud security.

• By Jeffrey Schwartz
• 06/01/2010

Microsoft Active Directory Federation Services (ADFS) 2.0, a key add-in to Windows Server 2008, was released in May. It promises to simplify secure authentication to multiple systems, as well as to the cloud-based Microsoft portfolio. In addition, the extended interoperability of ADFS 2.0 is expected to offer the same secure authentication now provided by other cloud providers, such as Amazon.com Inc., Google Inc. and Salesforce.com Inc.

ADFS 2.0, formerly known as "Geneva Server," is the long-awaited extension to Microsoft Active Directory that provides claims-based federated identity management. By adding ADFS 2.0 to an existing AD deployment, IT can allow individuals to log in once to a Windows Server, and then use their credentials to sign into any other identity-aware systems or applications.

Because ADFS 2.0 is already built into the Microsoft cloud-services portfolio -- namely Business Productivity Online Suite (BPOS) and Windows Azure -- applications built for Windows Server can be ported to those services while maintaining the same levels of authentication and federated identity management.

"The bottom line is we're streamlining how access should work and how things like single sign-on should work from on-premises to the cloud," says John "J.G." Chirapurath, senior director in the Microsoft Identity and Security Business Group.

Unlike the first release, ADFS 2.0 supports the widely implemented Security Assertion Markup Language (SAML) 2.0 standard. Many third-party cloud services use SAML 2.0-based authentication; it's the key component in providing interoperability with other applications and cloud services.

"We look at federation and claims-based authentication and authorization as really critical components to the success and adoption of cloud-based services," says Kevin von Keyserling, president and CEO of Independence, Ohio-based Certified Security Solutions Inc. (CSS), a systems integrator and Microsoft Gold Certified Partner.

While ADFS 2.0 won't necessarily address all of the security issues that surround the movement of traditional systems and data to the cloud, by all accounts it removes a key barrier -- especially for applications such as SharePoint, and certainly for the gamut of applications. Many enterprises have expressed reluctance to use cloud services, such as Windows Azure, because of security concerns and the lack of control over authentication.

"Security [issues], particularly identity and the management of those identities, are perhaps the single biggest blockers in achieving that nirvana of cloud computing," Chirapurath says. "Just like e-mail led to the explosive use of Active Directory, Active Directory Federation Services will do the same for the cloud."

Because ADFS 2.0 is already built into Windows Azure, organizations can use claims-based digital tokens, or identity selectors, that will work with both Windows Server 2008 and the cloud-based Microsoft services, enabling hybrid cloud networks. The aim is to let a user authenticate seamlessly into Windows Server or Windows Azure and share those credentials with applications that can accept a SAML 2.0-based token.

Windows 7 and Windows Vista have built-in CardSpaces, which allow users to input their identifying information. Developers can also make their .NET applications identity-aware with Microsoft Windows Identity Foundation (WIF).

WIF provides the underlying framework of the Microsoft claims-based Identity Model. Implemented in the Windows Communication Foundation of the Microsoft .NET Framework, apps developed with WIF present authentication schema, such as identification attributes, roles, groups and policies, along with a means of managing those claims as tokens. Applications built by enterprise developers and ISVs based on WIF will also be able to accept these tokens.

Pass-through authentication in ADFS 2.0 is enabled by accepting tokens based on both the Web Services Federation (WSFED), WS-Trust and SAML standards. While Microsoft has long promoted WSFED, it only agreed to support the more widely adopted SAML spec 18 months ago.

Take It to the Bank
Danny Kim, CTO of Boston-based Microsoft Gold Certified Partner FullArmor Corp., who has stress-tested ADFS 2.0, says he already has major clients that want to use it to deploy systems into the cloud.

"ADFS 2.0 does the linking of identities back to our server space and our cloud-based services, and we have one version that works across all of those environments," Kim says.

One major investment bank in New York is among those that want to roll it out right away to allow users to authenticate against applications hosted on the FullArmor Windows Azure-based systems, according to Kim. "This is a security-conscious company that has said, 'Unless security is guaranteed, we're not going to deploy these services in the cloud,'" Kim says. At the same time, Kim adds, the bank wants to ultimately stop buying and running servers as soon as it's safe to move to the cloud. ADFS 2.0 maps the user's token into AD, which is passed through to other ADFS 2.0-enabled systems, Kim explains.

Just as important, Microsoft officials say, is the fact that Microsoft can now also pass those claims through to any SAML-based system. Microsoft went through interoperability testing with other vendors through the Liberty Alliance, the standards organization that oversees identity-management specifications.

"We and a bunch of vendors got together ... and they tested out SAML protocol implementation, and they found it to be conformant across a whole bevy of test cases," said Matt Steele, senior program manager on the ADFS team at Microsoft, speaking on a Microsoft Channel 9 Video after the ADFS release candidate was posted. "That means we can advertise, like we've always wanted to, that ADFS 2.0 implements the SAML protocol and we're interoperable with all these vendors across all these test cases."

Will Implementations Match Tests?
Still, some argue that Microsoft may be over-promising. For example, it remains to be seen how compatible SAML tokens are with those provided by other vendors' platforms, says Patrick Harding, CTO of Ping Identity Corp., which provides its own single sign-on server that works across multiple platforms.

"We've been doing SAML for about four years," says Harding, whose company is both a Microsoft competitor and partner. "We know full well that SAML in the lab and SAML in the real world can be very, very different, especially when you get a lot of SaaS [Software as a Service] vendors who choose to write their own SAML implementations -- and there are always nuances with those."

There are other potential pitfalls. "Not every single piece of information about what someone can or can't do is stored in Active Directory," says Jackson Shaw, senior director of product management at Quest Software Inc., which provides a variety of tools to manage AD. "There may be something about my spending authority in the SAP system, for example. What that means is it forces a customer to synchronize more info into Active Directory."

Harding also wonders how quickly the .NET development community will embrace WIF. "While it's a good idea, WIF does require developers to learn from the ground up a brand-new paradigm and a brand-new development framework for how they need to integrate their apps into ADFS," Harding says.

However, Kim disagrees. "For developers who are familiar with the .NET environment, I don't think there's a significantly high learning curve," he says.

Those issues aside, Harding acknowledges that the release of ADFS 2.0 will likely pave the way for new cloud-computing initiatives. "ADFS 2.0 is a big deal because it validates that federated identity management is important; it's going to become a must-have for cloud computing and SaaS computing," he says. "All boats rise with Microsoft, and this is going to make people comfortable with the fact that federation is real."

Not in the Cards
Just days prior to the release of ADFS 2.0, Microsoft put on hold the next version of its CardSpace (formerly code-named "InfoCard") Information Cards, called CardSpace 2.0, which was to provide a common UI for managing multiple log-ins. CardSpace 2.0, which had been in beta since last year, supports ADFS 2.0 and includes WIF. To address the lack of an updated InfoCard, Microsoft this month is expected to release a community technology preview (CTP) of an add-on to ADFS 2.0 that will enable Windows Server to issue Information Cards.

"There's a lot going on in the Information Card space, especially when you consider cryptographic technologies like U-Prove, which we rolled out at the RSA conference," says Joel Sider, a senior product manager in the Forefront security group at Microsoft. "If you consider new standards like OpenID, there's a lot going on, and we want to address some of the new trends."

That raises the question: Is CardSpace 2.0 going to see the light of day? "There's certainly support for Information Cards; our involvement in Information Cards is alive and well," Sider says. Microsoft is not saying when it will update its CardSpace 2.0 plans, but some are wondering whether the technology has a future.

The uncertain fate of CardSpace 2.0 is "no surprise given its limited adoption," according to Harding. "Unfortunately, it has also really upset all of those people and companies that have bought into the InfoCard model at the urging of Microsoft."

But the shift in plan became somewhat inevitable in early March this year when Scott Charney, Microsoft corporate vice president of Trustworthy Computing, launched the CTP of the company's U-Prove technology at the annual RSA Conference in San Francisco. The U-Prove product centers on the issuance of digital tokens, which allow users to control how much information is shared with the recipient of the tokens.

Used against ADFS 2.0, U-Prove lets users federate identities across trusted domains. Microsoft released U-Prove under its Open Specification Promise (OSP) and also donated two reference toolkits for implementing the algorithms under the FreeBSD License. Moreover, Microsoft released a second specification under its OSP for integrating U-Prove into open-source identity selectors. How that will play out, in terms of whether the .NET and open source communities embrace U-Prove, remains to be seen.

Cloud Transition
Numerous Windows IT pros and security experts seem bullish on ADFS 2.0. Von Keyserling, of CSS, is among those who believe that ADFS 2.0 will play a key role in providing improved cloud security.

"We've been working with very large global enterprises and helping them build federation models that make it an easier transition into the cloud-computing environment," von Keyserling says. "It extends the ability to help manage identity across organizations that are separate identities."

For example, according to von Keyserling, if CSS and a client wanted to collaborate on a system that was hosted either locally, through a shared server pool, or in the cloud, the two organizations could actually federate their services together, making it easier for both to manage their own employees' identities.

"Using your existing identity infrastructure and applying that up into the cloud, hosted by Microsoft or through hosted SharePoint, certainly identity is at the center of security in our view, and it's certainly a very key consideration for cloud security overall," he adds.

Chirapurath says that's a key focus within Microsoft. "When you think about identity, it's really the keys to the store because an identity says who you are and what you can do," he says. "A lot of times, the challenges to cloud computing are in the realm of identity. What ADFS allows you to do is share those on-premises identities with the cloud; it can be Windows Azure or any other cloud that supports SAML or [the WS standards], so you can leverage your existing investments in on-premises Active Directory and make those identities work in your cloud-computing efforts."

ADFS 2.0 Implementation
Microsoft says ADFS 2.0 can be implemented atop AD without any schema extensions being necessary. While it needs to be installed on an instance of AD running on Windows Server 2008, Microsoft points out that organizations don't have to have all of their AD instances up to the current release -- though they do need to be on at least Windows Server 2003.

Microsoft is also hoping that Windows shops will adopt the new, free Forefront Identity Manager (FIM) 2010 platform, released in March. FIM is a repository that manages identities, access rights and credentials, as well as policies associated with them. It also allows IT managers to administer identities through a SharePoint-based admin console.

There are many issues related to cloud security that could be showstoppers for deploying applications in the cloud. Compliance, data integrity and understanding the implications of multi-tenancy are among a few.

When it comes to identity management, however, Microsoft and others have made key strides in bolstering the infrastructure to pass through common identities -- but work still remains on the client side. Nonetheless, with ADFS 2.0, enterprises that are considering using cloud services can benefit from adding the free upgrade to Windows Server.

"The end user can have the same experience in the cloud as if they were inside their own network; that's one of the advantages or drivers for these large enterprises looking at taking up the Federation Services and extending it," von Keyserling says. "It provides cloud services without having to stop and deal with password resets and credential management, and allows [companies] to focus on the execution of their business strategy versus the day-to-day nuances of dealing with security issues."