ADFS Certificate Requirements


Federation Trust and PKI

The federation trust is the key component by which secure communications in AD FS is made possible. It is not only the only PKI requirement for AD FS but it is a fundamental one, without which much of the functionality of AD FS would not be possible. There is nothing unique to ADFS about the federation trust, except the name, because it is a regular PKI implementation that may even already be in place and used by other server components for other purposes – so in this case, it can ALSO be used by AD FS.

Certificate Trust Models

It is possible to install and configure Microsoft Certificate Services to provide not only the federation trust but also all the other PKI certificate requirements. It is advisable in many cases, however, to purchase the appropriate certificates from a mutually trusted root CA (Internet root CA), so client computers from different organisations will be able to trust the various certificates involved in the AD FS deployment.

Although, this can increase the cost involved in deploying ADFS, it eases the process of establishing the PKI trust across organisational boundaries.

The main reasons to consider using an internal, corporate PKI, rather than using an externally trusted CA include;

  • Cost – Building a Windows PKI is free with the OS. (Although a catch-22 here may be that you will require on-site staff that can administer, maintain and secure the software and hardware associated with an internal PKI)
  • Control – Organisations have greater control over how the PKI is built and how, when, and where certificates are issued.
  • Existing Infrastructure – This provides an existing PKI that can be easily adapted to support ADFS.

 

About Stephen Pothecary
IT Professional and Cloud Evangelist! IT Manager at Comms Group UK Ltd - Managed Services | Solutions | Procurement | Support Services | Cloud | Fujitsu!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: