Symantec VIP Integration Guide for Microsoft Active Directory Federation Services (AD FS) 3.0

VIP Integration Guide for Microsoft Active Directory Federation Services (AD FS) 3.0 and 4.0:  Describes how to integrate Microsoft Active Directory Federation Services (AD FS) 3.0 with VIP (see the attached PDF). See VIP Integrations for a complete list of integration guides. 

More About Active Directory Federation Services (AD FS):
The enterprise workplaces are embracing web-based applications like never before.There is an increase in demand to support a single sign-on experience across applications. Most of the web-based applications adhere to the single sign-on standards. After the end users log-in to their enterprise application using their credentials, they will be signed-in to other enterprise applications seamlessly – they can move between services securely without specifying their credentials.

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. For example, consider a Service Provider (SP) who has a web application and ACME Corporation has an Identity Provider (IdP) Active Directory Federation Services (AD FS). ACME Corporation has a database of people who need to access the SP’s web application. If John Smith from ACME Corporation wants to connect to the SP’s web application, then the SP has to trust John Smith coming from ACME Corporation. The trust has to be established between AD FS and the SP. The web application verifies if the user is already authenticated. If John Smith is authenticated, the browser allows the user to access the web application. If John Smith is not authenticated, the browser redirects to ACME's IdP to authenticate John Smith against ACME's database of users. The browser comes back to the SP’s web application and provides the signed assertion from ACME’s IdP which the SP can trust.

SAML enables web-based authentication and authorization scenarios including cross-domain Single Sign-On (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. The user can use this signed assertion for other applications that use the SAML request.

To achieve this, the enterprise must:

• Integrate third-party web applications (as the Service Provider) through AD FS (as the Identity Provider).
• Configure AD FS.
• Configure the third party to use VIP as multi-factor authentication including JavaScript integration for VIP Access Push, Intelligent Authentication, Device Fingerprint, Registered Computer, Voice, and SMS.