ADFS (Active Directory Federation Services) is a solution from Microsoft for single sign-on (SSO) functionality. It is used by organizations that have their users on Windows Servers to provide authentication and authorization to web-based applications or services outside the organization. ADFS implements federated identity and claim-based access control to authenticate and authorize users, thus maintaining security. Claims-based authentication is way to provide access to users based on set of claims which contain the information about the identity contained in tokens.
The inner workings of ADFS can be understood by a simple example. Assume a company ‘A’ which hosts ADFS on their servers, has access to a user’s credentials. It is configured to provide trust to other applications ‘B’ and ‘C’ that require access tokens from the ADFS for authentication. When a user tries to access application ‘B’ from the browser, it redirects user to a proxy server of application ‘A’ where the user is asked to log in. After the user enters their valid username/password, the access token is generated for that user and redirected to the application ‘B’ along with the token. The same process occurs when the user wants to access application ‘C.’
Why Azure ADFS?
Active Directory (AD) creates authentication hardships when users want to access external applications. In this era of the online world, users often find a need to access external applications which are not owned by their organization. It’s here that ADFS comes into the picture and bridges the gap of providing access to these external applications. ADFS allows the users within an organization to access third-party applications integrated with their organization with same credentials of their organizations AD. ADFS can be used for following:
- Single Sign-On. ADFS can be used to provide users access to the third-party applications or services by logging them with same credentials of their organization’s AD.
- Identity and Access Management (IAM). It helps with a base platform to provide access control to applications based on centralized policies and rules. The user’s identity is centralized which makes identity management easier.
Issues faced by Applications using Azure ADFS
ADFS lags behind from being the best identity or authentication solution because of some major drawbacks. Major drawbacks of ADFS are its hidden infrastructure and maintenance costs, complexity, and security risks. There is a huge operational cost for managing and maintaining ADFS. Even if the ADFS service does not incur cost and is free, using it requires a Microsoft Server License and a server to host the service. As ADFS is a very important and critical service, it must never be down and should be highly available to provide an authentication mechanism. In order to fulfill this the architecture of ADFS, it needs to be configured respectively, which may increase the cost more than anticipated, in terms of complexity of architecture and increase in infrastructure.
Why Monitor Applications that use ADFS?
ADFS provide authentication and authorization services. It also provides SSO and IAM. This helps to provide access control to the applications based on centralized policies and rules. In simple terms, IAM takes care of the user details, authentication, and access information for an organization. Now, here the applications don’t have to worry about managing and authenticating their users, even if the count of users increases or decrease gradually. The responsibility of SSO and IAM creates a great dependency on ADFS. Now, organizations cannot afford losses if their users are not able to access external application due to an ADFS failure.
How Can we Monitor Applications that use Azure ADFS?
ADFS consists mainly of infrastructure, networking, and ADFS running on the server. So, if ADFS has to be monitored specifically, you can see the logs recorded in the server logs where the ADFS is hosted. You can make sure that the network it is hosted on is not too slow and is operating at the optimal performance. Also, it should be verified that the server ADFS is hosted on has the sufficient CPU and memory required for running the ADFS service, so it does not affect the service uptime.
This is only restricted to ADFS, so what about the applications that actually consume the ADFS services for IAM purposes? Here is where synthetic monitoring comes into the picture.
Synthetic Monitoring
Synthetic monitoring is the approach by which applications can be monitored by simulating users. This provides information like uptime, availability, and performance metrics and can monitor critical transactions made within the application. Synthetic monitoring has been around since the web was created, but now that there are significantly more web applications that organizations, big and small, rely on to generate revenue, its critical to continuously monitor these web applications for availability, uptime, and performance. And not only that, customers today can be located anywhere in the world, so it’s also imperative to monitor performance from different geographical locations.
When we use IAM Systems within applications, the application uses APIs to connect with the identity providers and communicates with them through browsers. All the interaction between application and IAM can be recorded and analyzed using synthetic monitoring. The monitoring solution can comprise of custom scripts and server calls, which run together at regular intervals, from a single allocated browser, or multiple browsers, from different geographical locations to get a better understanding for performance and availability at a global level.
Synthetic Monitoring from Dotcom-Monitor
Dotcom-Monitor provides various solutions and features to help user monitor their most critical websites and applications. Features like the EveryStep Web Recorder, configurable alerts, real-time reports, and third-party integrations, and more, gives users the tools and information they need to ensure their applications are working smoothly.
- Quick Solutions for Performance Problems: By using the EveryStep Web Recorder, web application performance issues can be detected quickly. For applications that use ADFS, this tool can record scripts for user steps when a user tries to log in using SSO, or the screen where OAuth token is sent by ADFS, and use it to monitor the web applications. Once the recorded scripts are ready and uploaded into the platform, you can set different thresholds for which to receive alerts. Detailed report on the problem can be created with screenshots and videos of the error, like if the user authentication service is failing etc., which can help the organization act quickly on repairing the issue before other users face the same issue.
- Alerts: You can create and configure custom notification groups with different types of alert mechanisms. Details can be checked and verified. If something goes wrong, it can identify the error and send alerts to the necessary people or teams to notify them of the problem. Alerts can be sent if the application goes down or if users fail to authenticate repeatedly. By proactively monitoring your applications, you ensure that the impact to users is minimal.
- Reporting: Gaining visibility and knowledge on user actions. Various types of reports can be generated by the platform, giving a wealth of performance data, such as downtime/uptime percentages, response time standard deviation, average response times, successes/failures, and more.
- Validating SLAs: Along with performance dashboards and alerts, the platform can also provide reporting to validate SLAs by IAM systems. For example, different IAMs claim their SLAs to be outstanding, but how can the organizations just simply trust that without verifying? The simple answer is that Dotcom-Monitor can do that for the organizations by creating detailed SLA reports to show the exact availability percentage of IAM systems. Dotcom-Monitor is set up to monitor and report on the commitments service providers make to customers in their SLAs.
In Conclusion: Monitoring Applications that use Azure ADFS
Azure ADFS provides an effective solution of SSO and IAM, thus making it simple for users of an organization to access external useful applications with ease in terms of authentication mechanism. So it is definitely necessary to monitor applications that use ADFS for authentication purpose in order to make sure that the application remains highly available and organization does not have to suffer any losses due to a failure of this service.
Try the full Dotcom-Monitor platform for free.
