Active Directory Federation Services

Welcome to the DOI Active Directory Federation Services (ADFS) education and information center. Get started by learning how ADFS works, what it does and doesn't do and how to take the next steps to apply it to your business needs.  If you believe that ADFS is the right solution for you, this site also offers an ADFS form to submit your application or system authentication request.

What Does an ADFS Customer Look Like

Any Department of the Interior organization Active Directory Federation Services, a service provided by DOI Office of the Chief Information Officer (OCIO), allows people to authenticate to cloud based or other third party hosted services and applications with the same account used to access DOI's network.  An example of ADFS in action is BisonConnect, a cloud-based web application that uses ADFS to authenticate users.

An ADFS customer is an entity with a need to authenticate through the Department of Interior's Active Directory in order to access a particular SAML 2.0 compliant web-based application.
 

The following links provide additional information about ADFS:

What is Active Directory Federation Services (ADFS)?

Active Directory Federation Services (ADFS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with minimal sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and implement a federated identity. 

In ADFS, identity federation is established between two organizations by establishing trust between two security realms. ADFS integrates with Active Directory Domain Services, using it as an identity provider. It also can interact with SAML 2.0 compliant federation services as federation partners.

DOI uses ADFS 3.0 with the Windows Server 2012 R2 operating system to build a federated identity management solution that extends distributed identification, authentication, and authorization services to Web-based applications across organizational and platform boundaries.

SAML 2.0 Compliance Required for ADFS

Security Assertion Markup Language (SAML) provides an open, interoperable, XML-based framework for exchanging user authentication, entitlement, and attribute information between providers of web services (cloud providers) and the holder of credentialing information (DOI).  SAML permits DOI to make assertions regarding the identity, attributes, and entitlements of a user account to an external web service. 

Adoption of the SAML standard for exchange of authentication information is central to the agency’s successful implementation of the Federal Identity, Credential, and Access Management (FICAM) strategy and corresponding two factor PIV authentication requirements for cloud based web applications and services.

A DOI memo dated December 1, 2015 titled "Mandatory Use of Security Assertion Markup Language (SAML) 2.0 Standard for Cloud-Based, Web Application Authentication Information Exchange" describes the compliance requirement in further detail.