ADFS Certificate Requirements
June 1, 2013 Leave a comment
Federation Trust and PKI
The federation trust is the key component by which secure communications in AD FS is made possible. It is not only the only PKI requirement for AD FS but it is a fundamental one, without which much of the functionality of AD FS would not be possible. There is nothing unique to ADFS about the federation trust, except the name, because it is a regular PKI implementation that may even already be in place and used by other server components for other purposes – so in this case, it can ALSO be used by AD FS.
Certificate Trust Models
It is possible to install and configure Microsoft Certificate Services to provide not only the federation trust but also all the other PKI certificate requirements. It is advisable in many cases, however, to purchase the appropriate certificates from a mutually trusted root CA (Internet root CA), so client computers from different organisations will be able to trust the various certificates involved in the AD FS deployment.
Although, this can increase the cost involved in deploying ADFS, it eases the process of establishing the PKI trust across organisational boundaries.
The main reasons to consider using an internal, corporate PKI, rather than using an externally trusted CA include;
- Cost – Building a Windows PKI is free with the OS. (Although a catch-22 here may be that you will require on-site staff that can administer, maintain and secure the software and hardware associated with an internal PKI)
- Control – Organisations have greater control over how the PKI is built and how, when, and where certificates are issued.
- Existing Infrastructure – This provides an existing PKI that can be easily adapted to support ADFS.