In this article we take a look at the Active Directory Federation Services (ADFS) Authentication Workflow that occurs when a client attempts to access a third-party federated web service.
The following diagram depicts the authentication workflow for ADFS when accessing third-party federated web services (applications).
Walking through the above diagram step-by-step:
- The user (client) accesses the web URL for the Fabrikam Web Server using their client web browser. The client doesn’t have an authentication token and must be federated to access this application.
- The website issues a HTTP redirect to the user’s web browser, directing them to visit the Fabrikam federation services URL.
- The user’s browser accesses the Fabrikam Federation Service.
- The Fabrikam federation service attempts to resolve the URL for Contoso Identity Provider (IDP) and issues an HTTP redirect to the user’s browser.
- The user’s browser accesses the Contoso ADFS server.
- The user initialises authentication with the Contoso ADFS server and is issued with a token signed by the ADFS server’s Token Signing Certificate. The ADFS service issues a HTTP redirect to the user’s browser, directing them back to the Fabrikam ADFS service.
- The user’s browser presents the token to the Fabrikam Federation service.
- The Fabrikam Federation service validates the token and issues the user with a new token which is valid for Fabrikam web service. The ADFS service issues a HTTP redirect to the Fabrikam web server.
- The user accesses the Fabrikam Web Server and presents the token which was issued by the Fabrikam ADFS service. The web server validates the token and authorises the user to access the application.
In this article we looked at the workflow process that occurs each time a user attempts to access an ADFS federated web service.