ADFS (Active Directory Federation Services) is a software product from Microsoft that enables cross-organizational logins to services via single sign-on.
This ADFS link with the EWP Web desk enables users to identify themselves based on the user names and passwords stored in the customer’s Active Directory. As an HR software provider, we do not know the ADFS passwords at any time. The access data can be administered in the Windows domain’s own user management. This is a so-called “claim-based authorization model using token messages”.
The advantages of ADFS at a glance:
- Users only have to authenticate themselves once a day
- Authorizations can be withdrawn at any time – for example, if an employee leaves the company, the user authorization does not have to be withdrawn in every individual application; this can simply be done once via the Windows domain
- Full control over all user accounts
- Password automatically corresponds to the company’s internal password guidelines
- Using the SAML 2.0 (Secure Assertion Markup Language) standard, ADFS enables the connection to third-party systems that do not use a Windows-based identity / authentication model – the customer’s Active Directory acts as an IDP (Identity Provider).
Implementation:
For the ADFS implementation the open-source software Shibboleth has to be installed. This enables the binding and thus the exchange of tokens and is connected via a module to the Apache front-end HTTP web server, which is to be installed in addition.
Usually, we need a PT for the complete setup.
Note: Azure AD, Microsoft 365’s cloud active directory, is also supported.