Frequently Asked Questions

This section offers frequently asked questions and answers on ADFS. 

General Questions on ADFS

Security and Privacy

Configuration Questions

Definitions of Terms

ADFS Form Specific Questions

Resources for Learning More


 

Why should I consider ADFS for my solution?

Active Directory Federation Services (ADFS) is an identity access solution from Microsoft that provides web-based clients (internal or external) with one prompt access to one or more Internet-facing applications, when the user accounts exist in different organizations and the web applications are located in an altogether different organization. ADFS lowers the complexity of password management and guest account provisioning. It can also play a significant role for the organizations that use Software as a Service (SaaS) and Web applications.

All internal DOI Requesting Parties should first consider Microsoft Windows Authentication or Kerberos prior to requesting an ADFS RPT, as there are additional benefits for these platforms. An RPT request should be submitted only if these platforms are determined to be less than ideal.

Source: SPAN Blog article - "Active Directory Federation Services: Why should you use it?"


 

What security concerns do I need to consider prior to establishing an RPT with DOI/OCIO via ADFS?

Please refer to the Compliance with NIST Standards and Guidelines. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA) and in managing cost-effective programs to protect their information and information systems.

See FISMA Implementation Project Page on NIST.gov

Source: Compliance With NIST Standards and Guidelines


 

Where can I find help configuring ADFS 3.0 to communicate with SAML 2.0?

Please follow this link for detailed instructions:
http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0

Source:
http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0


 

Where can I find help configuring ADFS 3.0 to communicate with Esri ArcGIS Online?

Please follow this link for detailed instructions:
https://doc.arcgis.com/en/arcgis-online/reference/configure-adfs.htm

Source:
https://doc.arcgis.com/en/arcgis-online/reference/configure-adfs.htm


 

Where can I find help configuring SAML for WordPress?

Please follow this link for detailed instructions:
onelogin help center

Source:
onelogin help center


 

How are ADFS changes managed and governed?

ADFS changes are managed and governed via the DOI Systems CAB.


 

What is the DOI Acquisition of IT Cloud Services / Mandatory Use of Pre-Approved Contracts?

This policy issued September 27, 2016 states that all DOI Bureaus and offices are required to use the Department's current approved cloud contracts when procuring cloud services or receive a waiver. The policy memo can be found here.


 

Who can submit the ADFS Request Intake Form? Do I need to have a DOI account?

A requesting party is required to hold an Active Directory account.  Therefore, if an external vendor is requesting a Relying Party Trust (RPT) with the Department of the Interior, they are required to have a DOI Sponsor.

 


 

What is Microsoft Windows Authentication?

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

Integrated Windows Authentication works with most modern web browsers, but does not work over some HTTP proxy servers. Therefore, it is best for use in intranets where all the clients are within a single domain. It may work with other web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication. Where a proxy itself requires NTLM authentication, some applications like Java may not work because the protocol is not described in RFC-2069 for proxy authentication.

Source: Wikipedia Entry on Integrated Windows Authentication


 

What types of information will be requested in the ADFS Risk Assessment Template / Questionnaire?

You will be asked for the following types of information in the ADFS Risk Assessment Questionnaire.

Submitter contact information (name, phone number and Bureau/office submitting request on the behalf of), System Name, System Owner, Authorizing Official, Authority to Operate Date, Attributes that are required to be passed from AD, If the system/application is included in a separate system boundary within CSAM, Identification of any risks associated with allowing this ADFS connection, Attribute CNs, LDAP Display Names, An explanation for each Attribute CN/LDAP Display Name, Exposure of Personally Identifiable Information (PII) or DOI/[Bureau/Office] sensitive information, Risk mitigation activities which have been taken or are in place associated with sharing the information attributes, Identify any mitigation steps that have been taken to address the risks, Identify any remaining risk elements, Identify the risks and any mitigation steps that have been employed to lower the risk of occurrence, If a Privacy Impact Assessment (PIA) been conducted, if a PIA has been completed what's the system name and CSAM location UII for the PIA


 

What is Kerberos?

Kerberos /ˈkərbərɒs/ is a computer network authentication protocol that works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades (hellhound). Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. It uses UDP port 88 by default.

Kerberos is used as a preferred authentication method: In general, joining a client to a Windows domain means enabling Kerberos as default protocol for authentications from that client to services in the Windows domain and all domains with trust relationships to that domain. In contrast, when either client or server or both are not joined to a domain (or not part of the same trusted domain environment), Windows will instead use NTLM for authentication between client and server.

Intranet web applications can enforce Kerberos as an authentication method for domain joined clients by using APIs provided under SSPI.

Many UNIX and UNIX-like operating systems, including FreeBSD, Apple's Mac OS X, Red Hat Enterprise Linux, Oracle's Solaris, IBM's AIX and Z/OS, HP's HP-UX and OpenVMS and others, include software for Kerberos authentication of users or services. Embedded implementation of the Kerberos V authentication protocol for client agents and network services running on embedded platforms is also available from companies.

Source: Wikipedia Entry on Kerberos


 

What is a RPT (Relying Party Trust)?

Relying party trusts are trust objects typically created in: 

  •  Account partner organizations to represent the organization in the trust relationship whose accounts will be accessing resources in the resource partner organization.
  • Resource partner organizations to represent the trust between the Federation Service and a single web-based application.

A relying party trust object consists of a variety of identifiers, names, and rules that identify this partner or web-application to the local Federation Service.

Source: Microsoft - Technet: Understanding Key AD FS Concepts


 

What is SAML?

Security Assertion Markup Language (SAML, pronounced sam-el[1]) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

The single most important requirement that SAML addresses is web browser single sign-on (SSO). Single sign-on is common at the intranet level (using cookies, for example) but extending it beyond the intranet has been problematic and has led to the proliferation of non-interoperable proprietary technologies.

Source: Wikipedia Entry on SAML


 

What is the SAML 2.0 requirement?

A DOI memo dated December 1, 2015 titled "Mandatory Use of Security Assertion Markup Language (SAML) 2.0 Standard for Cloud-Based, Web Application Authentication Infomration Exchange" describes this requirement.


 

What is a claim?

Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users—and understood by both partners in an Active Directory Federation Service (AD FS) federation—that are used for authorization purposes in an application. For more detailed information regarding claims, see this article on understanding claims on Microsoft TechNet.  
 


 

What is a Secure Hash Algorithm (SHA 256)?

The SHA (Secure Hash Algorithm) is one of a number of cryptographic hash functions. A cryptographic hash is like a signature for a text or a data file. SHA-256 algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one way function – it cannot be decrypted back. This makes it suitable for password validation, challenge hash authentication, anti-tamper, digital signatures.

Source: Xorbin article on SHA-256 Hash Calculator


What is the difference between a "requesting party" and a "federated partner"?

"Requesting party" refers to the customer organization appealing to the DOI for a relying party trust. Once the requesting party's application has been approved and a trust has been created, it becomes a "federated partner." A federated partner is trusted by the Federation Service to provide security tokens to its end users (that is, users in the account partner organization) so that they can access Web-based applications in the resource partner.


 

Account Partner

A federation partner that is trusted by the Federation Service to provide security tokens to its end users (that is, users in the account partner organization) so that they can access Web-based applications in the resource partner.


 

ADFS

Active Directory Federation Services


 

AD

Active Directory


 

Attribute

A claim of a named quality or characteristic inherent in or ascribed to someone or something.


 

Assertion

A statement from a verifier to a Relying Party (RP) that contains identity information about a subscriber. Assertions may also contain verified attributes.


 

Authentication

A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of one or more valid authenticators to establish his/her identity. Secure authentication protocols also demonstrate to the claimant that he or she is communicating with the intended verifier.


 

Authentication Protocol

A defined sequence of messages between a claimant and a verifier that demonstrates that the claimant has possession and control of one or more valid authenticators to establish his/her identity. Secure authentication protocols also demonstrate to the claimant that he or she is communicating with the intended verifier.


 

Claim

A statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client.


 

What is a custom claim rule?

A claim rule that you author using the claim rule language to express a series of complex logic conditions. You can build custom rules by typing the claim rule language syntax in the Send Claims Using a Custom Rule template.

Source:
https://technet.microsoft.com/en-us/library/adfs2-help-terminology(v=ws.10).aspx


 

Claim Type

The type of statement in the claim that is made. Example claim types include FirstName and Role. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI).


 

Claim Value

The value of the statement in the claim that is made. For example, if the claim type is Role, a value might be Contributor.


 

If I have a conditional ATO, how should I proceed?

You will select "yes," when asked if you have an ATO. If further information is required that is not available in the conditional ATO, the security team will reach out with additional requirements


 

CSP

Credential Service Provider


 

End User

A user, whose account resides in an account partner organization, who can access federated applications that reside in a resource partner organization.


 

Federation

A process that allows for the conveyance of identity and authentication information across a set of networked systems. These systems are often run and controlled by disparate parties in different network and security domains.


 

Federated Partner

Trusted business partner that is allowed securing sharing of identity information with DOI OCIO via ADFS


 

Identity Provider (IdP)

The party (DOI) that manages the subscriber's primary authentication credentials and issues assertions derived from those credentials. This is commonly the credential service provider (CSP) as discussed within this document suite.


 

How should I make clear what LDAP attributes I require for outgoing claims?

The Screen for mapping LDAP Attributes to Outgoing Claims should like the following image:

Table of attribute mappings

In order to show the LDAP attribute you want mapped please type:
(LDAP Attribute) ------> (Outgoing Claim)
Ex: User-Principal-Name -------> Name ID
Given-Name ---------> Given Name
E-Mail-Addresses ------------> E-Mail Addresses

 


 

Relying Party (RP)

The party that receives and processes the assertion identifying the subscriber.


 

Requesting Party

Client seeking a federated trust partnership with the DOI OCIO.


 

Metadata

Metadata is defined as the data providing information about one or more aspects of the data; it is used to summarize basic information about data which can make tracking and working with specific data easier. Your application's metadata can be obtained from the vendor.


 

What does RPid refer to?

The RPid is located in the Metadata: It is how the application identifies itself to ADFS. It is often a the URL used to access the application.

The RPid can be provided by whomever configured the application to SAML (this is often, but not always the vendor).


 

RPT

Relying Party Trust


 

Subscriber

Federated Partner


 

Who should I provide as the Technical Point of Contact (POC) when submitting my request?

The Technical POC is the person that will be most capable of answering technical questions regarding the application. This may be the person submitting the form, or it may be someone else that is aware of the application/service requirements and can provide details to the ADFS development team as needed to complete request.


 

What is an ATO?

An ATO (Authorization to Operate) refers to the permission for a product to be used in an existing system.  The ATO includes the following approved documents:  PIA, SORN, Privacy Plan, and SSP for A&A.


 

What is the difference between a "new" RPT request and an "existing" RPT request?

A new Relying Party Trust refers to a request that has never been deployed into a production environment with the Department of the Interior by the Requesting Party organization.  An existing RPT refers to a current Relying Party Trust that requires some modification (for example additional claims, a change in authentication rules, etc.).


 

What is a DOI Sponsor for ADFS requests?

A DOI Sponsor is an internal DOI federal point of contact representing the Requesting Party.  The DOI Sponsor should be filled in with the name of the individual who is either the application/system owner or the individual who is responsible for the application/system. This role is specifically used if an external requesting party needs access to the DOI ADFS environment, but does not have a DOI Active Directory account.


 

What am I responsible for providing for the ADFS test and production implementation?

See Roles and Responsibilities for an ADFS Relying Party Trust Request.


 

What additional items will be requested of me prior to the test implementation?

A Federated Application Onboarding Template Test will be requested. 

Source: https://drive.google.com/drive/folders/0Byhj1X94CEu6d1RmWDA4VlNoSEU


 

What additional items will be requested of me prior to the production implementation?

A Federated Application Onboarding Template Prod will be requested. 

Source:  https://drive.google.com/drive/folders/0Byhj1X94CEu6d1RmWDA4VlNoSEU


 

Where can I get a more technical understanding of remote authentication?

See NIST Digital Authentication Guideline.


 

Where can I find additional information regarding DOI Foundation Cloud Hosting Services?

Visit the DOI Cloud Customer Portal


 

Is there a confirmation number associated with my ADFS Request Form submission?

Yes. In the subject line of the email you received from the ADFS Support Team immediately after submitting your ADFS Intake form is a "submission request number" that is recognizable by ADFS followed by a numerical value representing your request. Ex: ADFS17


 

What is an ATO?

An ATO (Authorization to Operate) refers to permission for a product to be used in an existing system. The ATO includes the following approved documents: PIA, SORN, Privacy Plan, and SSP for A&A. This information can typically be obtained from the requesting party's bureau/office.


 

Why does the form ask for my DOI Bureau/Office?

The bureau/office that you indicate should represent the bureau/office that this request is being submitted on behalf of.


 

Where can I learn more about "DOI Cloud Contract: Foundational Cloud Hosting Services (FCHS) Documents"?

Visit the DOI Foundation Cloud Hosting Services Reading Room.


 

What is the difference between a Test Environment and a Production Environment?

The Test Environment is where all requirements are tested prior to going live to ensure that all requirements are met, there are no bugs in the code, etc. One all testing is complete the application can go live, by being placed in a Production Environment.


Where can I learn more about privacy considerations that need to be integrated into the system development process?

Information resources management activities of all agencies require that information security and privacy be fully integrated into the system development process.   For more information please follow the links below:


Where can I find information about what will be required in the ADFS RPT Request Form and how to complete it?

All information that is required to fill out the ADFS Request form can be found in the ADFS User Manual.


 

For additional helpful terms not provided in this list please see:

https://technet.microsoft.com/en-us/library/adfs2-help-terminology(v=ws.10).aspx