Develop Federation-Aware Applications
As the business need for user access has evolved, the demand on many Web applications is that they no longer support only users inside the firewall. These same applications need to be accessed by vendors, partners, and other trusted organizations as well.
How do developers provide access for these constituencies to applications built around the domain-based identity model? At minimum, this requirement implies additional user-account management because each constituent must have a domain-based identity inside the firewall as well. Whether this demand is hundreds or thousands of additional user accounts, it is a further burden on IT and help-desk staff to manage the provisioning and de-provisioning of accounts and password resets for those loosely affiliated with the organization.
Active Directory® Federation Services (AD FS) is the key to providing secure external access to Web applications while minimizing the increased workload on staff. AD FS used with Active Directory Lightweight Directory Services (AD LDS) as an identity provider for authentication and Windows Authorization Manager (AzMan) for control of access policy provides a complete solution to extending Web applications to trusted organizations.
AD FS enables the cross-domain reach of Web applications while preserving a Windows® Integrated Authentication experience inside the firewall and providing a Single Sign-on experience for users outside the firewall. AD FS makes additional user-account management unnecessary because it provides an infrastructure for establishing federation-trust relationships with partner organizations. Accounts from the partner's domain can be trusted to have access to specific applications within their domain. Therefore, in a federation-trust model, each organization continues to manage its own domain-based identities, including their associated access rights, but can also securely project identities to and accept identities from partner organizations.
AD LDS offers an identity provider for business scenarios that require an extranet directory in which to store customer user accounts, where these accounts need to be separate from the enterprise AD user-account store. AD FS can be configured with a federation-trust relationship to authenticate to AD LDS and provide digital identities, including claims, to federation-aware Web applications. Another potential use for AD LDS as an identity provider is in support of a hosted, Software as a Service (SaaS) model where a highly scalable directory service is required to contain multiple organizations within a single directory. A set of SaaS applications can also have a federation trust relationship.
AzMan provides a role-based access control framework to manage authorization policy. Authorization decisions have traditionally been codified into business applications, requiring the application to be modified as the business needs evolved. With AzMan, the authorization policy is managed separately from the application's code. Business owners manage which roles should have access to what business operations. Developers perform authorization access checks based on these roles using a standardized programming model. Therefore, as the business evolves and roles must be added or changed, the business owner can make these updates in the policy, and the underlying business application does not need to be changed.