Select Page

What is federated identity and how it works?

What is federated identity and how it works?

Claims

In this blog post, I will be talking about how claims and federated identity can empower many business scenarios, and open the door for a lot of integrations, especially in cloud applications.

We talked previously about Claims-Based Authentication, and how it provides a powerful way to represent identities inside your organization, and in the cloud, due to its powerful abstraction. So let us see how claims helped in the federated identity scenario.

Federated identity

Suppose you are building an application, and you want identities from partner organization to authenticate to, using identities hosted in that partner organization. So, you have a client from your partner organization trying to access your claims-based application. Your corporate ADFS and the partner ADFS have trust between each other’s.

  • Your ADFS should trust the partner ADFS.
  • A user from the partner company tries to access you web application using his browser.
  • Your claims-based application will redirect the user’s browser to your corporate ADFS.

Claims federated identity 1

  • Your corporate ADFS will try to do Rearm Discovery, by giving you the option to choose from a list of rearms it support. The user will choose his company (the partner company) from the list, and his choice is saved as a cookie on his machine, so that next time he would not be prompted to choose one.

Claims federated identity 2

  • ADFS then redirects the client to the partner ADFS, where the user authenticates, and gets a security token that is signed. The client will get couple of cookies, so he would not need to authenticate again to the partner ADFS.

Claims federated identity 3

  • The partner’s ADFS will redirect the client to the corporate ADFS with the signed token.
  • The corporate ADFS will validate the token signed by the partner’s ADFS, and will issue a security token signed by the corporate ADFS, along with couple of cookies, so that the client will not need to authenticate again to the corporate ADFS.

Claims federated identity 4

  • Client will be redirected to the application, and presents the signed token it gets from the corporate ADFS.
  • The claims-based application will validate the token, and allow access to the application.It will send couple of cookies so that the client will not need to authenticate again to that web application.

Claims federated identity 5

Final Thoughts

As you can see, with federated identity, trust will travel in this way [Partner ADFS > Corporate ADFS > Application]. At the end, the claims-based application only sees and trust claims issued from the corporate ADFS. The application does not know or care what the corporate ADFS has to do to give the client such claims.

About The Author

Ammar Hasayen

Ammar Hasayen is a trusted technology adviser and entrepreneur and has been in the software industry for over 10 years with a special focus on the security, Office 365, and cloud solutions. Ammar is an active blogger and is active speaker in many local tech communities where he talks about Azure and Office 365. A part from that, Ammar appears in many global tech events and conferences like Microsoft Teched and Ignite.

Leave a reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest