Does ADFS 2.0 deliver on its single sign-on promise?

Claims, tokens, identity providers -- the next iteration of ADFS is helping to unify a SSO vision

Page 3 of 3

How ADFS 2.0 handles claims authentication
With this background in mind, let's look at ADFS 2.0 specifically.

The STS is handled by ADFS 2.0 by installing it as a role in your Active Directory environment; your organization now becomes the issuer of the token. The application would use Windows Identity Foundation, which is a standard library for creating applications that are claims-aware. You may or may not need an identity selector; if you did, Microsoft is working on CardSpace version 2.0 to take on that role. 

If you want a much more controllable version of claims-based authentication, you can add U-Prove to the mix; it's a cryptographic technology that integrates with WIF, ADFS 2.0, and CardSpace 2.0. Purchased by Microsoft in 2008 from Credentica, U-Prove was released in March 2010 under its "open specification" promise, and there are open source reference toolkits in C# and Java and a Community Technology Preview that includes a ton of information.

Just because I've presented only one view of ADFS 2.0 -- that of a single sign-on with users and external, on-premise applications -- don't pigeonhole this technology. You might use it in your enterprise to provide access to applications developed for use in-house. You might use it for applications used in the enterprise that need to authenticate users coming from the Internet. You might develop an application that accepts tokens from trusted identity providers (a good example is Windows Live ID). You might use the same technology to work between two enterprises so that users in the one enterprise can access to an application residing in another. And certainly, with cloud computing, you can see how claims can be used to provide single sign-on to cloud-based applications running on platforms like Microsoft Azure.

ADFS 2.0, if it lives up to its claim (pun intended), will help bring about the elusive single sign-on that so may users, admins, and developers have hoped for all these years -- without creating the security risks these same users, admins, and developers continue to fear. As I gain more experience with ADFS 2.0, I'll keep you posted on how well it delivers on that hope.

This article, "Does ADFS 2.0 deliver on its single sign-on promise?," was originally published at Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at

| 1 2 3 Page 3