Microsoft ADFS (Active Directory Federation Service) offers a Single Sign On (SSO) solution to users for applications, services and resources inside the organization (such as Web apps and disparate apps and resources) as well as SSO to the company’s subscription based Web services outside of their own organization (such as seamless access to Salesforce, Office 365 and Google Apps. Basically, “seamless access” to “everything”, through just one single user authentication.

ADFS makes this possible via what is commonly called a “claims based” integration to connected services and resources, working much like a SAML based SSO service. Just one simple user authentication and the user has access to all ADFS federated (supported) services.

In addition to providing internal users seamless access to internal and outside web services, ADFS can also allow external users and partners – those not belonging to the organization – to have access to specific (claims configured) shared “company internal” resources and services without risking opening up the full network/domain.

While ADFS offers ease of use and flexibility by just requiring a single authentication to access everything by internal users, as well as enabling access to sometimes sensitive internal resources to external partners and external users, this actually poses a significant risk and a new threat in case someone were to hack/hijack someone’s password. In such a case, they would have full access to everything!

Consequently organizations implementing ADFS want to strengthen the initial user authentication and add multi-factor authentication, thereby minimizing the risk for hacking, misuse and sharing of passwords. 

From MS Server 2012 additional authentication methods (MFA) are supported and they can be enabled in the form of an ADFS Multi-Factor Authentication Plugin, such as the one Green Rocket Security now offers and fully supports.

The GRS ADFS Plugin is a highly modern, flexible and very easy to add module to ADFS for easy MFA provisioning and easy enforcement of multi-factor authentication to ensure only authorized users have access.