Active Directory Federation Services v2.0 - A Good Start

It looks like Microsoft has released their long-awaited Active Directory Federation Services v2.0 ('ADFS v2.0') component for Active Directory.

Simultaneously with this release, Microsoft is pushing the concept of "claims based identity" as the new thought "superstructure" that according to Microsoft, is a seminal event in the history of thought for identity management.

Here is my favorite quote from Microsoft's book "A Guide to Claims-based identity management".

"The claims-based model embraces and subsumes the capabilities
of all the systems that have existed to date, but it also allows
many new things to be accomplished."

I must say this is quite a claim.

Let's step back and take a look at what ADFSv2 is actually doing on the wire, which is where the truth ultimately lies.

The model proposed by Microsoft equivalent to the assertion model of identity. In all cases, whether it is a web service, web site or SaaS application, the user authenticates himself or herself to ADFSv2 for a specific application and then receives a SAML assertion for that specific application which they then take to the target application in a browser or "smart client" (web service).

Microsoft is trying to elevate it's technology to greater philosophical importance by using the word "claim" in place of "attribute" or "role" or "property" of a user. This makes for some good marketing, but the SAML assertion that comes from ADFSv2 will have very specific attributes in it targeted for very specific target application. This is an important point because it means you can't simply take the SAML assertion and "federate it" anywhere as it will have "claims" (e.g. attributes) designed for a specific application, some of which might be quite sensitive.

For instance, a claim for an expense reporting application might have an employee's cost center as an attribute in the SAML assertion. This is great for federating the assertion to the expense reporting application, but not so great when federating the assertion to other applications, such as a partner website.

I looked around for a sample SAML assertion generated by ADFSv2 with some sample claims to dig in to the details, but they are hard to come by. I wonder why...

Notwithstanding my criticism, the model is a good one because moves the authentication and authorization logic further away from applications and into a centralized, trusted assertion. This is a step in the right direction and follows the trend of security decoupling that has proven to be useful for other technologies such as SSL and web services security in the past.

To conclude this post, I am leaving two unanswered thought provoking questions:

#1: What is the difference between a claim and an attribute? (Credit for the seed of this idea goes to Dr. Babak Sadighi of Axiomatics during a conversation we had at the recent Kuppinger show)

#2: Is there a need for "claims filtering/protection" - e.g. on-the-wire gateway functionality that can obfuscate, encrypt or delete sensitive claims in ADFSv2 issued SAML assertions when these assertions leave the Enterprise perimeter?

Posted by Blake Dournaee on 5:04 PM


Kevin Jones said...

Interesting questions there. Let me take a punt on the first. Attributes are always simple facts such as 'my age is 21', where as claims can also cover propositions such as 'my age is less than 30'. Makes intuitive sense to me, but then intuition is not always a good guide in software...

digital signature Adobe Reader said...

Its really interesting to read about your views on Microsoft's claim.Good questions too.I also agree with Kevin that intuition is not good in software some time.


About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy