Will ADFS 2.0 Boost Cloud Security?

The pending release of Microsoft's Active Directory Federation Services (ADFS) 2.0 is expected to play a key role in simplifying how organizations provide access control to systems and applications, including those running in the cloud.

Microsoft is expected to release ADFS 2.0, the free Windows 2008 Server add-in to Active Directory, this week, as reported. ADFS 2.0 provides claims-based authentication to applications developed with Microsoft's recently released Windows Identity Foundation (WIF).

While ADFS 2.0 give single sign-on to .NET applications built-in WIF and systems running Windows 2008 Server instances, it also extends that authentication to Microsoft's Windows Azure cloud service. But just as important, it provides single sign-on to Windows applications running on other cloud-based services, said Jackson Shaw, Quest Software's senior director of product management.

"ADFS 2.0 is really going to shed the spotlight on federation and cloud services and that's something the industry can use," Shaw said, in a telephone interview from the company's TEC 2010 conference in Los Angeles. "You can put an ADFS 2.0 instance up and use it to connect directly to Google or Salesforce.com. It's fairly straightforward."

Key to ADFS 2.0 is its support for the Security Assertion Markup Language 2.0 (SAML) standard, which is widely supported by cloud providers and ISVs. By allowing Windows and .NET apps to make and exchange SAML-based authentication claims, that removes a key barrier.

While Shaw sees ADFS 2.0 as a key step forward toward improving cloud security, he cautioned it's not a panacea. "Not every single piece of information about what someone can or can't do is stored in Active Directory," Shaw said. "There may be something about my spending authority in the SAP system, for example. What that means is it forces a customer to synchronize more info into Active Directory."

The problem, he explained, is customers may not want to always do that."That's part of the evolution of cloud services we have to go through, and that's why I am excited about ADFS 2.0, because as more and more customers start to use this, these types of difficulties are going to be surfaced," Shaw said.

Not lost on him of course, is the opportunity that presents for third parties like Quest, Ping Identity, Symplify, CA, Novell and others to offer tools to remediate some of these issues.

Keynoting at this year's TEC 2010 was Conrad Bayer, Microsoft's general manger for Identity and Access solutions. Shaw, who attended the keynote, shared a few observations:

• Directory technologies have all been brought together into one group at Microsoft, which Bayer will oversee. That includes ADFS, Forefront Identity Manager and Rights Management Server. "This is definitely a step in the right direction from the perspective of actual integration across the product line and hopefully some proper integration with Active Directory," Shaw said in a blog posting released just after we spoke.

• When Bayer polled the audience to see how many were using AFDS, very few raised their hands. "I believe this will change once ADFS v2.0 releases later this year - since ADFS is basically free," Shaw noted.

• Cardspace 2.0 is not ready, Bayer confirmed. "It doesn't go away but it isn't imminent to be released either," noted Shaw. "They want to add OpenID support and they are working on that along with incorporating it into Internet Explorer."

Are you looking to use ADFS 2.0 in your organization or for your clients?  Drop me a line at jschwartz@1105 media.com.

Posted by Jeffrey Schwartz on April 26, 2010