What is federated identity and how it works?
In this blog post, I will be talking about how claims and federated identity can empower many business scenarios, and open the door for a lot of integrations, especially in cloud applications.
We talked previously about Claims-Based Authentication, and how it provides a powerful way to represent identities inside your organization, and in the cloud, due to its powerful abstraction. So let us see how claims helped in the federated identity scenario.
Suppose you are building an application, and you want identities from partner organization to authenticate to, using identities hosted in that partner organization. So, you have a client from your partner organization trying to access your claims-based application. Your corporate ADFS and the partner ADFS have trust between each other’s.
- Your ADFS should trust the partner ADFS.
- A user from the partner company tries to access you web application using his browser.
- Your claims-based application will redirect the user’s browser to your corporate ADFS.
- Your corporate ADFS will try to do Rearm Discovery, by giving you the option to choose from a list of rearms it support. The user will choose his company (the partner company) from the list, and his choice is saved as a cookie on his machine, so that next time he would not be prompted to choose one.
- ADFS then redirects the client to the partner ADFS, where the user authenticates, and gets a security token that is signed. The client will get couple of cookies, so he would not need to authenticate again to the partner ADFS.
- The partner’s ADFS will redirect the client to the corporate ADFS with the signed token.
- The corporate ADFS will validate the token signed by the partner’s ADFS, and will issue a security token signed by the corporate ADFS, along with couple of cookies, so that the client will not need to authenticate again to the corporate ADFS.
- Client will be redirected to the application, and presents the signed token it gets from the corporate ADFS.
- The claims-based application will validate the token, and allow access to the application.It will send couple of cookies so that the client will not need to authenticate again to that web application.
As you can see, with federated identity, trust will travel in this way [Partner ADFS > Corporate ADFS > Application]. At the end, the claims-based application only sees and trust claims issued from the corporate ADFS. The application does not know or care what the corporate ADFS has to do to give the client such claims.