Managing user access in businesses today is something like playing traffic cop in an intersection of a thousand roads. From Web-based applications to homegrown programs, from desktop PCs to the latest crop of smartphones, IT has to be able to control access to every sort of resource while allowing users to access them from anywhere and any platform.
A bigger challenge is providing seamless access to applications and systems across corporate or network boundaries. It's no trouble for IT to define and manage user names and passwords on their own network, but it takes more work -- or is nearly impossible -- to extend access to internal systems to numerous external users or to manage local user access to a system outside of their control.
Microsoft has updated Forefront Identity Manager (FIM) 2010 and Active Directory Federation Services (ADFS) to aid IT in applying identity management across domains and business boundaries. Both of these tools are intended to extend user access control across the enterprise; FIM uses a common platform to tie user, certificate, group, and policy management together, while ADFS provides trust accounts between different networks or organizations. Together, they provide a powerful platform for extending user management beyond the company domain or network edge.
Active Directory Federation Services 2.0
Active Directory Federation Services, first available in Windows Server 2003, is now a server role in Windows Server 2008 R2. ADFS is a single-sign-on technology that uses claims-based authentication to validate a user's identity across domains. Normally when the user's account is in one domain and the resource is in another, the resource will prompt the user for local credentials. ADFS eliminates the secondary credential request; the user's identity is validated, and access provided, based on information in the user's home directory.