ADFS help

method115

So I'm trying to understand ADFS and I'm having a little trouble understanding it. So I'm going to use a real example from work and you guys can let me know if I'm right or way off.

So basically when I get to work I login and then open are support site to view tickets, and then login to our customer information site.

If I were to configure ADFS correctly we could set it up so that once I login the support site and customer site would auto log me in?

kriscamaro68

From what I understand about it at its very basic level yes your analogy would be correct. ADFS is suppose to provided singal sign-on which means everything should auth with AD accounts and allow access to what is using the FS service.

method115

Ah ok cool this would actually be very useful for my company. We go through employees pretty quickly and have a handful of sites that we have to create different usernames for. Perhaps once I have a better grasp of ADFS I will see if they will allow me to implement it here. Thanks for the help.

ptilsen

Hold on a second. You don't need ADFS to implement single-sign on within one forest or domain. While you could use it for that purpose, it would be an excessive solution. ADFS is primarily intended to create trust relationships between different organizations (read: different forests, different network) for web applications.

This Technet article should give you a good overview:
Active Directory Federation Services Overview

kriscamaro68

Go off what ptilsen said. I have only read briefly over that page and what I took from the brief read was singal sign-on.

Here is a quick snippet from the link he provided: Federation Service: The Federation Service comprises one or more federation servers that share a common trust policy. You use federation servers to route authentication requests from user accounts in other organizations or from clients that may be located anywhere on the Internet.

Makes more sense.

Thanks for the calification on its underlying purpose ptilsen.

method115

ptilsen wrote: »

Hold on a second. You don't need ADFS to implement single-sign on within one forest or domain. While you could use it for that purpose, it would be an excessive solution. ADFS is primarily intended to create trust relationships between different organizations (read: different forests, different network) for web applications.

This Technet article should give you a good overview:
Active Directory Federation Services Overview

So what would you suggest instead of ADFS? We use a lot of web based applications and having something like ADFS would just make it all easier to maintain when it comes to our users.

ptilsen

method115 wrote: »

So what would you suggest instead of ADFS? We use a lot of web based applications and having something like ADFS would just make it all easier to maintain when it comes to our users.

Are all of your users in the same domain? If so, ADFS will not make it easier. If they are, you can typically achieve SSO by enabling Windows Authentication (and disabling other methods of authentication).

Are your users not members of any domain? If so consider using ADLDS to implement a user database shared between web applications.

method115

Yea we are all in the same domain. These websites that I'm reffering to are build by other companies. We didn't make them ourselves. All of them are running under centos/apache as well.

ptilsen

Depending on the site design, you can probably get the site to integrate with AD DS as it's based on LDAP. But, that's probably not a simple task. AD FS won't help you, nor will anything in Windows, really. As long as those sites are using their own local databases of users, you're going to have more or less the same problem.