Ping Identity > Blogs > PingTalk 

PingTalk Blog

ADFS 2.0 Half-empty? Half-full?

(updated with RTW date)

On May 5, Microsoft will RTW (release to Web) Active Directory Federation Services 2.0, a piece the software giant needs to extend Active Directory to create single sign-on between local network resources and cloud services.

Back in October 2008, I was the first reporter to write about the impending arrival of ADFS 2.0, then code-named Geneva, and Microsoft’s plan to storm the identity federation market with its claims-based model. I followed Geneva and wrote about its evolution, including the last nail in the project – support for the SAML 2.0 protocol to go along with Microsoft’s similar protocol WS-Federation.
 
But what will arrive next week is more of a glass half-full, glass half-empty story, one end-users should closely evaluate.
 
Half-full. Microsoft validates a market when they move into it with the sort of gusto that is behind ADFS 2.0, a Security Token Service, even though smaller companies such as Ping have been providing federation technology since 2002. That validation should help IT, HR and others more easily push their federation projects. And more than a few companies should join those, such as Reardon, already enjoying identity federation and Cloud SSO.
 
ADFS 2.0 is “free” for Active Directory users, which is a word that resonates with CIOs. And Microsoft has been running ADFS 2.0 on its internal network since May 2009, giving it nearly a year to vet bugs and other issues.
But potential users should look deeper.
 
Half-empty. ADFS 2.0 was slated to ship a year ago, what were the issues that caused it to slip and have they been corrected?
 
Microsoft’s support for the full SAML spec is first generation. Late last year was the first time Microsoft participated in and passed an independent SAML 2.0 interoperability test, an eight-day affair put on by Liberty Alliance and Kantara.  Ping, which had participated previously, also passed and was part of the testing group with Microsoft.
 
Microsoft's testing during the event focused on SAML's Service Provider Lite, Identity Provider Lite and eGovernment profiles. The ‘”lite” versions of those are a significant sub-set of the full profiles. Microsoft says it plans to support other SAML profiles based on demand. After the testing, Burton Group analysts said Microsoft had “covered the core bases” for SAML 2.0 support. For some deploying SAML that will be enough, for others it could fall short.
 
And Microsoft’s SAML implementation will have to interop with third-party service providers, many of which roll their own SAML implementations and won’t have ADFS 2.0 running on their side. There is no shortage of details to address with such one-off integrations.
 
In addition, ADFS 2.0 is part of a larger identity platform that includes the Windows Identity Foundation (WIF) and Windows Cardspace.
 
But with this release, Cardspace 2.0 will not roll out with ADFS 2.0, and Microsoft says a Cardspace release “isn’t imminent.” While Cardspace is not widely adopted, it remains an integral part of the user-centric identity package Microsoft has been pushing. When Microsoft rolled out Geneva internally, one of its IT architects told a session at the company’s TechEd conference "Geneva is a lot more than ADFS 2.0.” The client story here is fractured.
 
The other piece, WIF, is an extension to the .Net Framework 3.5 that helps developers build applications that incorporate a claims-based identity model. While Microsoft has an army of devoted developers, a critical mass of claims-aware applications does not yet exist.
 
So the bottom line is that ADFS 2.0, despite RTW, and its companion components are still a work in progress. And while the technology will bring awareness to an already active federation market, ADFS 2.0/Geneva still has a ways to go if it wants to be a defining technology.
 
Follow John on Twitter and check out our Identity-Conversation Tweet list
Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.
 

Comments

Travis Spencer, April 29, 2010 1:49pm

You missed the biggest thing that makes the glass half empty -- ADFS can only authenticate users that are stored in Active Directory.

Reply

John Fontana, April 29, 2010 2:02pm

Travis, true indeed. OK, I'd add that one, but AD has cut a pretty wide swath across the enterprise.

Reply

Spike Robinson, December 3, 2010 9:40am

You can add an LDAP account store as well as AD, so that's pretty open-ended, you're not limited to authenticating against AD. Though as John says, AD's pretty widespread and authenticating against it is pretty useful in a lot of places.

For me the biggest gap is what John noted above, the difficulty in integrating with other 3rd party SAML 2.0 implementations. The main problem is the total lack of documentation on the semantics of the various configuration fields. Microsoft has changed the names and the semantics in non-obvious ways. So an integration with a 3rd party SAML 2.0 implementation is a very frustrating process of trial and error.

Having said that, the ability to export and even directly import federation metadata speeds up integration, whenever that capability is supported.

Reply

Travis Spencer, December 10, 2010 11:06am

Spike, you may find the following to be interesting:

http://www.windowsitpro.com/article/active-directory/Q-Does-Active-Directory-Federation-Services-ADFS-2-support-Active-Directory-Lightweight-Directory-Services-AD-LDS-for-authentication-.aspx

http://stackoverflow.com/questions/2827298/does-adfs2-0-provide-custom-authentication-stores

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/a16f0d86-2fc5-4ae0-9554-7d3cd3a59976/

http://social.msdn.microsoft.com/Forums/en/Geneva/thread/a782e4b3-8d8b-43c2-b06f-06a0d10dc67d

HTH!

Reply

??????, April 4, 2011 8:44am

Cool! Author the best! Thank you!

Reply

Sa, April 13, 2011 3:14pm

What you mention about Cardspace and WIF makes no sense - ADFS 2.0 could be part of a much larger effort. But it needs to be rated upon its own capabilities and not whether some extended components are becoming available or not. Your article makes no sense.

Reply

Travis Spencer, April 15, 2011 4:47am

Sa, which part doesn't make sense? ADFS can't even be installed w/out WIF. In your app (the RP), if you don't use WIF, you're going to have some fun processing WS-Federation messages and handling X.509 certificates. So, ADFS certainly needs to be evaluated hand in hand w/ WIF. What about CardSpace though? It's not really needed (which is your point IIUC). But, if you weren't paying a lot of attention to this stuff in the Geneva days, you might not have seen how Geneva Server (ADFS), Geneva Framework (WIF) and CardSpace Geneva (CardSpace v. 2) were bundled in a marketing and a development sense. With that backdrop in mind, John's point that prospective users should be aware that not all the original parts were shipping is a valid one. This was a big deal for those that built PoCs and developed architectures w/ CardSpace Geneva as a major component. Given that CardSpace wasn't shipping, it was certainly a glass half empty to some.

If this still doesn't make sense, feel free to reply here or contact me directly (http://travisspencer.com/contact-me.html).

Reply

Add your comment