Hi Everyone,
                  Part 3 of my Windows Server 2008 series is covering Active Directory Federation Services. 

So what is AD FS?

Active Directory Federation Services (AD FS) is a feature in the Windows Server 2003 R2 and Windows Server 2008 OS's that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.

Features in AD FS

In Windows Server 2008, AD FS includes new features that were not available in Windows Server 2003 R2.
This new functionality is designed to ease administrative overhead and to further extend support for key applications:

Improved installation: AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.

Improved application support: AD FS is more tightly integrated with Microsoft Office SharePoint Server 2007 and Active Directory Rights Management Services (AD RMS).

A better administrative experience when you establish federated trusts: Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.

The following are some of the key features of AD FS:

Federation and Web SSO

When an organization uses Active Directory Domain Services (AD DS), it experiences the benefit of SSO functionality through Windows Integrated authentication within the organization's security or enterprise boundaries. AD FS extends this functionality to Internet-facing applications. This makes it possible for customers, partners, and suppliers to have a similar, streamlined, Web SSO user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organisations to facilitate business-to-business (B2B) federated transactions between partner organizations.

Web Services (WS)-* interoperability

AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Windows identity model to federate with Windows environments.

Extensible architecture

AD FS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with Forest Trust design). AD FS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organisations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies.

Extending AD DS to the Internet
AD DS serves as a primary identity and authentication service in many organisations. With Windows Server 2003 Active Directory and Windows Server 2008 AD DS, forest trusts can be created between two or more Windows Server 2003 forests or Windows Server 2008 forests to provide access to resources that are located in different business units or organisations.

However, there are designs in which forest trusts are not a viable option. For example, access across organisations may have to be limited to only a small subset of individuals, not every member of a forest.

By employing AD FS, organisations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.

AD FS supports distributed authentication and authorisation over the Internet. AD FS can be integrated into an organisation's or department’s existing access management solution to translate the claims that are used in the organisation into claims that are agreed on as part of a federation. AD FS can create, secure, and verify the claims that move between organisations. It can also audit and monitor the communication activity between organisations and departments to help ensure secure transactions.

ok installing ADFS...

First up, install the role through server manager,

adfs1

you will then get the welcome screen, please ensure the Domain controller or member server is a member of the domain, and bear in mind when you install additiona features of ADFS you MUST seperate the ADFS proxy server and the ADFS feature foles.  You cannot run both on the one box.

adfs2
Note:  you will be required to install the additional IIS services as well.

adfs3

In this demonstration i will be installing the ADFS service and the Web Agents. choose next

adfs4

As I am installing the Web Agents Role, it is prompting me for an SSL certificate, I have some existing ADCS certificates which i could use, or if your organisation has its own set of SSL certificates for IIS, select them now, or alternatively create a new one.  For the purpose of this demo I will create a new certificate.

adfs5

adfs6
Again because I am installing the Web Agent feature, one of its sub-requirements is token authentication, at this point it is asking me for a certificate for that.  I will create a self signed one, but in a production environment you would have a certificate signed by a External CA to issue. 

adfs7

It is now prompting me for my federation server for web agent communications.  In a production environment you should have this on a seperate federation server, but for this demo I am going to point it to the local DC.  Selecting Validate will confirm web agent communication with your desired federation server.

adfs8
The next stage involves specifying the trustpolicy xml location.  If your organisation has its own policies for this please make the appropriate changes, but I will keep everything as default.

adfs9

The next part of the install involves configuring your IIS7 components, choose next to the welcome screen.

adfs10

Leave all IIS components selected as default unless you have specific requirements.

adfs11

Confirm your installation requirements and choose install.

adfs12
installation proceding..

adfs13

installation finishes... choose close

adfs14

note:  no restart is required.  you can access the AD FS snap in through mmc.  In the example below I have created an AD account store.  Also note you break up your policy for internal clients and external clients (partners).

adfs15

I am now going to create a new application definition, to do this, right click on applications and select new and application...

adfs16

The wizard starts, choose next

adfs17

Now you need to specify whether your application will use token based authentication or claims-aware (.net), in this example I am going to use claims-aware.

adfs18

now enter your display name and URL path, in this case I will be using my HP SIM application. 

Please note:  Do NOT use ADFS with Sharepoint SSO, use either one or the other not both, although SSO works great, if your organisation has a policy to use ADFS only, ensure you remove the SSO option in your initial sharepoint installation configuration.

adfs19

Now you specify your identity claims, as HP SIM uses UPN, thats the option ill be selecting, however as you can see by the screen dump you have a few different options.

adfs20

Now you choose whether to enable the application immediately or not. choose next

adfs21

Wizard is finished, hit Finish.

adfs22

As you can see my application is initialised and is using UPN for its IC.
adfs23