News

Microsoft Set To Release ADFS 2.0

• By Jeffrey Schwartz
• April 23, 2010

Microsoft is expected to release Active Directory Federation Services 2.0, a key add-in to Windows Server 2008 that promises to simplify single sign-on authentication to multiple systems and the company's cloud-based portfolio.

ADFS 2.0 (formerly code-named "Geneva"), which provides claims-based authentication to applications developed with Microsoft's recently released Windows Identity Foundation (WIF), will be available "in any day," said J.G. Chirapurath, senior director in Microsoft's Identity and Security Business Group, in an interview.

Microsoft's claims-based Identity Model, implemented in the Windows Communication Foundation of the .NET Framework, presents authentication schema such as identification attributes, roles, groups and policies and a means of managing those claims, as tokens. Applications built by enterprise developers and ISVs based on WIF will also be able to accept these tokens.

ADFS 2.0 likely will prove important to Microsoft's overall cloud computing vision. Several Microsoft officials and outside observers believe that as enterprise customers, ISVs and software-as-service providers add ADFS 2.0 to their Windows Server environments, it will remove a key barrier to those reluctant to deploy their apps to the cloud.

Pass-through authentication in ADFS 2.0 is enabled by accepting tokens based on both the Web Services Federation (WSFED) and Security Assertion Markup Language (SAML) standards. While Microsoft has long promoted WSFED, it only agreed to support the more widely adopted SAML spec 18 months ago.

Many enterprises have expressed reluctance to use cloud services, such as Microsoft's Windows Azure, because of security concerns. "Security [issues], particularly identity and the management of those identities, are perhaps the single biggest blockers in achieving that nirvana of cloud computing," Chirapurath said.

Because ADFS 2.0 is built into Windows Azure, organization can now offer claims-based tokens that will work with both Windows Server 2008 and Microsoft's cloud-based services, enabling hybrid cloud scenarios. A user can authenticate to Azure or Windows Server and WIF-enabled applications using InfoCards built into Windows 7.

"Just like e-mail led to the explosive use of Active Directory, Active Directory Federation Services will do the same for the cloud," Chirapurath said.

Danny Kim, CTO of Boston-based Microsoft Certified Gold Partner FullArmor, who has stress-tested ADFS 2.0, said it is ready for production.

"ADFS 2.0 does the linking of identities back to our server space and our cloud-based services and we have one version that works across all of those environments," Kim said. One major financial services firm wants to roll it out right away to allow its users to authenticate applications running on FullArmor's Windows Azure-based applications, Kim added.

"This is a security-conscious company that has said unless security is guaranteed, we are not going to deploy these services in the cloud," Kim said. ADFS maps the user's token into Active Directory, which is passed through to other ADFS-enabled systems, he explained.

Still, some argue that may be easier said than done. For example, it remains to be seen how compatible SAML tokens are with those provided by other vendors' platforms, said Patrick Harding, CTO of Ping Identity, which provides its own single sign-on server that works across multiple platforms.

"We have been doing SAML for about four years," said Harding, whose company is both a Microsoft competitor and partner. "We know full well that SAML in the lab and SAML in the real world can be very, very different, especially when you get a lot of SaaS vendors who choose to write their own SAML implementations and there are always nuances with those."

Harding also questioned how quickly the .NET development community will embrace WIF. "While it's a good idea, WIF does require developers to learn from the ground up a brand new paradigm and a brand new development framework for how they need to integrate their apps into ADFS," Harding said.

However, Kim disagreed. "For developers who are familiar with the .NET environment, I don’t think there is a significantly high learning curve," he said.

Those issues aside, Harding acknowledged the release of ADFS 2.0 will likely pave the way for new cloud computing initiatives. "ADFS 2.0 is a big deal because it validates that federated identity management is important; it's going to become a must-have for cloud computing and SaaS computing," he said. "All boats rise with Microsoft and this is going to make people comfortable with the fact that federation is real."