Are Active Directory Federation Services a disaster For Security?
AD FS, or Active Directory Federation Services, first appeared on the scene at the turn of the millennium as a way of enabling IT teams to provide users with a single sign-on (SSO) service, reducing password fatigue and improving organisational security. But times have moved on since then, and frankly, AD FS hasn’t. So, what are the problems and what should we be looking for in a new solution instead?
AD FS is what we call a legacy solution. On its inception, it was the only solution on the market with SSO capabilities, so it’s easy to see why it became so popular with IT teams across the globe. However, given the explosion in digital transformation efforts, particularly in the last 9-12 months as businesses scramble to implement hybrid working solutions, we can start to understand why a “legacy” service might be an issue. Let’s look at some of the problems.
What’s Wrong?
Firstly, AD FS is an on-premises service, meaning it comes with hardware. Hardware means maintenance. Maintenance means money. To ensure high availability and a reasonable level of security, we need to run at least four servers to allow for failover. Even if we host the service in a virtual environment, as most organisations using it do, the money we save on power and cooling can easily be spent on storage in Azure or AWS.
The next issue we have is that supporting the service can be a real pain in the GUIDs. Typically, it can be quicker to entirely rebuild the server farm than to diagnose and remediate the problem. With AD FS becoming increasingly “old school”, it can be increasingly difficult, and expensive, to find experts in the technology with the required experience to effectively support the solution.
Even when we host the service in the cloud, AD FS continues to have the internet as a single point of failure. Requiring a site-to-site VPN and a slightly complex stretched farm to even discover internal devices as ‘internal’ for the purposes of SSO, organisations hoping their hybrid approach to authentication would work quickly and easily in the cloud often find that their internet connection lets them down or they experience a lag in the service.
Finally, users are unable to reset their own passwords when using AD FS. They can perform a password change once they have authenticated but there is no capability for self-service password reset, which can heavily reduce the workload of the IT support desk and enable better remote working practices, as users can reset passwords in their own time if they choose to work out of usual hours.
What’s Really Wrong?
On to security… AD FS is a claims-based service, meaning it looks at a piece of information (a claim) passed to it as a user attempts to sign in and it matches that data with what it knows should happen. If the information matches up, then the service authenticates the user and provides a token to grant the user access. Sounds like conditional access in Azure Active Directory, right? Well yeah… kind of!
The issue here is that AD FS has very limited location-awareness. So, it can understand if you are inside or outside of your corporate network but beyond that it requires a complex set of claims rules to authenticate based on user location. Not particularly helpful when the majority of the country is taking a work from anywhere approach, right? And for implementing any other semi-complex claims rules, to essentially create a ‘conditional access’ policy within the service, the process requires someone with in-depth expertise.
Finally, the Azure MFA Server is now deprecated technology. If you want to protect your corporate identities with multi-factor authentication (it’s highly recommended!) then you’d need to enrol them into Azure Cloud MFA anyway, allowing users to authenticate via text message, phone call or the Authenticator application to protect themselves against 99.9% of credential-based attacks.
What’s Not Wrong?
So, AD FS isn’t all bad. It does have some practical uses in the real world. For example, if your organisation uses SMART cards and isn’t yet ready to make the jump to FIDO2 or passwordless technology, then AD FS would still be the recommended solution for you to authenticate credentials.
There are also some third-party SaaS applications which require users to authenticate or federate from a specific IP address. In this instance, Azure Active Directory would not be suitable as it uses a common IP address, so AD FS would be your go-to solution! This type of application is still quite common, particularly in the public sector, so it’s worth auditing your apps before making a switch to cloud-based authentication!
What Does The Future Look Like?
Well, if you’re looking to switch out your AD FS service for a more modern authentication solution, then there are two main contenders: Azure Active Directory or Okta. Personally, I prefer Azure AD because of the simple pricing structure, integration with the Microsoft security stack and the exciting development roadmap, but both solutions have their own merits.
The most important things to look for are high availability, ensuring your users can remain productive, and strong authentication to keep your data secure. Strong authentication comes with conditional access, which is available in both AAD and Okta. Conditional access allows organisations to set specific conditions for their users before authenticating to a particular application or resource. For example, you may want your finance team to be within a specific IP range before accessing the app used to make payments.
Whichever service you choose, you should try and opt for using risk-based conditional access to assess the risk of each individual sign-in session based on user credentials, location, device in use, and the particular application being accessed. Once this data has been collated by the solution, it should choose an appropriate next action, whether that be granting the user access, requiring additional verification with multi-factor authentication, forcing a password reset or contacting the IT team.
Cloud-based services come with higher availability, meaning that your users are less likely to be impacted by an outage. With less reliance on the internet (i.e. the internet isn’t the single point of failure for your authentication service), your users can continue to be more productive, particularly when working in disparate locations. This is more important now than ever and as more businesses adopt a work-anywhere approach, AD FS will become increasingly irrelevant.
If you’re interested in talking about secure authentication and understanding the security of your current environment, get in touch with us at sales@cognisys.co.uk. Our Microsoft 365 Review packages provide businesses with a set of tailored recommendations, including identity recommendations, for improving organisational security and getting you moving in the right direction!