If you've ever tried to develop an online solution that requires a login, you know it isn't difficult to accomplish -- as long as you handle the login information yourself or through a service that retains users' names, passwords, or other data. These have become commonplace. However, they don't help so much with federated IDs such as those used for single sign-on via Active Directory, as I discovered firsthand in setting up my company's learning portal.
It would be so much easier if there were some form of trust or federation with the companies that sign up so that their users log into their Active Directory and can access their online portals as well. The good news is that Active Directory Federation Services (ADFS) 2.0 is making some strides here.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
ADFS 2.0 is an add-on role for Windows Server 2008 that was released in May. The idea is simple: Users log in once to the Active Directory environment and can use those credentials through claims-based authentication to access other applications, as long as they are identity-aware.
When I saw ADFS 2.0, my first thought was, "Here we go with yet another identity solution based upon some proprietary set of standards or protocols." But ADFS 2.0 supports Security Assertion Markup Language (SAML) 2.0, which is also used by several major third-party cloud services.
There is a hodgepodge of different elements that allow for authentication between an Active Directory environment and the application in question (on-premise and cloud based, for example) to provide the passthrough in a secure manner, including Web Services Federation (WSFed), WS-Trust, and SAML. These all work together to create tokens that make claims that are verifiable. In ADFS 2.0, Microsoft uses these industry-standard interoperable protocols.