IT Connect
Your connection to information technology at the UW

Active Directory Federation Service

UW ADFS is in containment, with a planned retirement in 2022. This means no new relying parties are being added. UW-IT will work with customers with applications that have WS-* protocol requirements to determine if Azure Active Directory can meet their needs.

ADFS provides Single Sign On (SSO) authentication services to web applications that support the WS-Federation and WS-Trust protocols¹. ADFS allows an application to be able to authenticate users with UW NetIDs.

We recommend the use of the UW Identity Provider for developers of new web applications–see the Authentication service catalog link below.

On This Page Related to This Page

 

Background

A web application that uses ADFS is known as a Relying Party (RP)4. In order for an RP to work with ADFS, the RP and ADFS must have information about each other. This information is referred to as metadata.

During the installation process the RP can retrieve the ADFS metadata from https://sts.netid.washington.edu/FederationMetadata/2007-06/FederationMetadata.xml. The RP operator provides their RP metadata to ADFS through the procedure described below.

In addition to providing user authentication and single sign-on (SSO) for web applications, ADFS provides the capability to release additional user information to an RP at authentication time. This user information is presented as name-value pairs known as claims. In the UW environment, ADFS login requests are routed to the UW Identity Provider (IdP) for validation. Claims data can be sourced both from the IdP and from the NETID Active Directory. In SAML terminology claims are sometimes referred to as “attributes.”

Claims are useful for access control decisions and personalization within the RP application. By default, the three claims noted below are issued from ADFS. If you require any other claims you will need to specify them and provide a business justification for this information; explain why your application needs that data5. For group claims, specify the particular group(s) or stem(s) required by your RP. Use the UW Groups Service to determine the appropriate groups ids. We don’t release “all groups” to any RP.

Default claims:

  • Name – normally the user-friendly name, not the UW-NetID
  • Authentication time
  • Authentication method

 

Notes

¹ Microsoft uses the phrase “claims-based authentication” to describe the use of these protocols. They are similar to the well-known SAML protocol used by the UW Weblogon service. Microsoft documentation often conflates the SAML protocol with the SAML authentication token format. ADFS does not support RPs (Service Providers in SAML terminology) that use the SAML protocol. The WS-Federation specification authors borrowed many of the SAML constructs including the token format and the metadata format. However, the protocol and metadata are not interoperable.

² This is a high level document from Microsoft that defines the components and describes their relationship

³  Official Microsoft Documentation

4 RPs are typically .Net applications built on top of Windows Identity Foundation (WIF) or Active Directory Authentication Library (ADAL).

5 Some claims data is considered sensitive or confidential and has approval processes that must be completed before the requested claims can be released to your Relying Party. If we need more information to get those approvals, we’ll let you know.

Last reviewed June 11, 2021