The Active Directory Federation Server (AD FS Server) - A Closer Look

ADFS uses a claims-based access control authorization model to maintain application security and implement federated identity.

Claims-based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token.

A federation server in the user’s network authenticates the user through the standard means in Active Directory Domain Services. It then issues a token containing a series of claims about the user, including its identity. This token is sent to the federation server on the resources/services side (the external network the user is trying to access). The other federation server validates the token for being trustworthy. It then issues another token for its local servers to accept the claimed identity. This allows a system to provide controlled access to its resources or services to a user that belongs to another network without requiring the user to authenticate directly to the system and without the two systems sharing a database of user identities or passwords.

Figure 1 : How the Federation Server operates?