What is ADFS and Use Case to demonstrate ADFS
Well What is ADFS?
Well on cloud resource if we are not going to use ADFS , then we have to use VPN tunnel to establish trust between our domain to active directory domain and this results in lots of security implications and it is a hassle to set it up,
apart from that and another alternative is too consistent exporting using CSV and XML files from the AD domain to cloud resources but cloud resources have its own implication especially when names changes occur especially when somebody gets married and deletion when people leave the organization then these type of exporting of bulk users leads to a lot of problems.
The old fashioned approach is not to use SSOand complete isolation work account is different from your Gmail , password expiration is difficult when you bring new service to the organization
so let us learn ADFS
when a person tries to logs in to the cloud resource and then the cloud resource gonna redirect them back to ADFS, the user will authenticate against ADFS and it gonna check active directory and claim is generated and handed back to the user along with redirection login URL back to the cloud along with claim and hence it logs in the user
Important things to learn about ADFS are
ADFS Claim based identity
ADFS federation endpoints
ADFS federation metadata
ADFS Relying party trust
when considering traditional methods user when it wants to authenticate applications it validates user credential in the active directory, active directory will generate a Kerberos ticket, and Kerberos ticket will not have any defined attributes and you cannot do any customization, hence with one Kerberos ticket many applications can be opened
Now claims come in to the picture
Remember this point: All the attributes in ADFS is called claims
Now what is ADFS Claim based identity ?
A user approaching to open cloud-based application will eventually be seeking authentication via ADFS then ADFS gets itself authenticated with the help of AD at the backend and it gives back required or customized response as per the application needs and this acknowledgment of claims from ADFS is not thing token’s in other words.
We can easily understand ADFS ENDPOINTS with this simple diagram
ADFS Federation metadata
The key point to remember here is every application does not know which endpoints need to be connected hence it asks regarding the federation metadata.
Relying party trust
For example, some user wants to log in to an application, and then the user will authenticate to ADFS
and ADFS is the claim provider for the application as it is expecting claims and application can consume and perform the other tasks and it is only possible when the application know which endpoints it is to talk to which can be known in federation metadata
once the application has routed the ADFS server then it does some tasks like sending claims and this is saved in a configuration called relying party trust
Use case :
To install the SAML SSO for confluence plugin in confluence and configure it
After this we have to copy the SAML Metadata for IDP configuration
Now we have to open ADFS and configure relying party trust and we have add data source with SAML Metadata for IDP configuration.
Now we are going edit the rules as such which attributes need to be passed in the relying party trust.
Now here we have selected the attribute which is used claim based authentication, here we have selected SAM- Account name.