What is ADFS and how it works?

Active Directory Federation Services, or commonly known as ADFS, is a solution from Microsoft to provide Single Sign On and web based authentication to systems and applications between organizations with unique or multiple domains.

ADFS uses the claims-based access control authorization model in order to ensure the application level security and federation identity, which is implemented between two organizations by establishing a trust between two security zones or scopes.

Two federation servers are required, one for users accounting and authentication (mainly with Active Directory Domain Services) to identify them and another for resources authorization and user access validation. This architecture allows a user that belongs to another security scope or realm to control their access directly without sharing databases or passwords between them.

ADFS is designed to communicate over HTTPS in order to validate the user with a given user name and password, then, if this is valid then the service returns an unique token that can be used by third-parties applications.

When a certain user attempts to access to an application in one site, then it redirects the login petition from the user to the main site ADFS proxy in a form of username and password and then returns a token that will be used by the application to control the user accesses.

The problem of that environment is the single point of failure and the lack of scalability once the organization grows.

ADFS scalable environment

In order to provide high availability, load balancing and automatic disaster recovery of ADFS services, we’re proposing an environment like it’s shown below.

This approach is implementing load balancing and high availability for in-site services, but it can be built as an inter-site architecture which also provides automated disaster recovery for geo-located ADFS services.

ADFS load balancing configuration

Creating a simple load balancing virtual service with LSLB | L4xNAT farm will allow to load balance the HTTPS requests as raw TCP connections.

In the Services tab, select the dispatcher algorithm selected and configure the ADFS proxies in the backends section.

Finally, configure the advanced health checks for ADFSv2:

./check_http --sni -H fs.mydomain.com -IHOST -u /adfs/ls/idpinitiatedsignon.aspx -e 200 -S -s html 

for ADFSv3:

./check_http --sni -H fs.mydomain.com -IHOST -u /adfs/ls/idpinitiatedsignon.htm -e 200 -S -s html 

Note: In the health checks commands, change your ADFS domain.

ADFS in high availability and automated disaster recovery configuration

As Zevenet clustering solution replicates all the connections and sessions in real time, building a cluster the clients can transparently switched from one node to another without disruption. The cluster service provides high availability at application delivery layer but also an automatic disaster recovery abilities that can be configured easily through the section System | Cluster.

ADFS enhanced security

Zevenet Intrusion Prevention and Detection System adds an additional security layer to the ADFS services, so we can ensure that the connection requests from our sites are trusted.

In addition, SSLoffload for ADFS will be available soon so the complete security layer could be delivered by Zevenet by loading the SSL certificate in a LSLB | HTTP farm with HTTPS listener.