Many organizations are moving to the cloud and this often requires some level of federation. Federation, put simply, extends authentication from one system (or organization) to another.
One of the key items we covered was protecting Federation Servers, specifically Microsoft Active Directory Federation Servers (ADFS).
Microsoft is currently updating guidance for securing ADFS.
This post describes key ADFS concepts and a short-list of security recommendations on how to properly protect ADFS.
The federation server typically lives on the internal network with a proxy server in the DMZ. There are certificates installed on the Federation server.
ADFS uses the following certificates:
- Service communication
ADFS terminology also includes:
- Relying party trusts: cloud services and applications
- Claim rules: determine what type of access and from where access is allowed.
Key Federation Points:
- Federation: trust between organizations leveraging PKI (certificates matter)
- Cloud SSO often leverages temporary or persistent browser cookies (cookies provide access)
- Several protocols may be supported, though typically SAML. (protocols and versions matter)
- Federation server (or proxy) is on public internet via port 443 (HTTPS).
Conceptual federation authentication flow Continue reading