Fortinet black logo

Administration Guide

ADFS Proxy

ADFS Proxy

FortiWeb as an ADFS proxy

Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. It provides users with authenticated access to applications located across organizational boundaries. Developed to provide flexibility, ADFS gives organizations the ability to simplify the user experience: users only need to remember a single set of credentials to access multiple applications through SSO.

Usually, the ADFS server is deployed inside your organization’s internal network. If you have an application (or web service) that is Internet facing, this can cause an issue, becasue when a user on the Internet contacts the application (or web service), then the application redirects the user to the ADFS server for identity authentication, the user will not be able to connect to the internal ADFS server.

To solve this issue, FortiWeb can be deployed as an ADFS proxy in your organization’s perimeter network (DMZ or extranet). The external clients connect to FortiWeb when requesting the security token, FortiWeb then forwards the requests to the ADFS server in the internal network. As far as the user is concerned, they do not know they are talking to an ADFS proxy, because the federation services are accessed by the same URLs.

Except from playing the role of ADFS proxy, FortiWeb also acts as a web applicaiton firewall for your ADFS servers. You can leverage the powerful threats protection features on FortiWeb to keep your ADFS servers safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.

The workflow of the ADFS authentication process

The following figure illustrates a typical ADFS authentication process, and the FortiWeb's role in it.

Initiation 1 The user sends access requests to a web applicaiton which requires identity authentication.
2 The web application responds with a URL that redirects the user to the ADFS server for identity authentication.
Certificate authentication process 3A The user sends a certificate authentication request to the service port 49443 of FortiWeb.
4A FortiWeb uses the locally installed CA to verify if the certificate is valid. If yes, FortiWeb forwards the certificate authentication request to the ADFS server.
User credential authentication process 3B The user sends a user name and password authentication request to the service port 443 of FortiWeb.
4B FortiWeb forwards the user name and password to the ADFS server.
Authentication result feedback 5 Upon authenticating, the ADFS server provides the user with an authentication claim.
Connection to web application 6 The user’s browser then forwards this claim to the target application.

FortiWeb supports the following ADFS versions:

  • ADFS 3.0 on Windows Server 2012 R2
  • ADFS 4.0 on Windows Server 2016
  • ADFS 5.0 on Windows Server 2019

From 6.3.0, FortiWeb has added support for Microsoft Server API version 2. In versions earlier than 6.3.0, FortiWeb only supports Microsoft Server API version 1.

ADFS Proxy

FortiWeb as an ADFS proxy

Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. It provides users with authenticated access to applications located across organizational boundaries. Developed to provide flexibility, ADFS gives organizations the ability to simplify the user experience: users only need to remember a single set of credentials to access multiple applications through SSO.

Usually, the ADFS server is deployed inside your organization’s internal network. If you have an application (or web service) that is Internet facing, this can cause an issue, becasue when a user on the Internet contacts the application (or web service), then the application redirects the user to the ADFS server for identity authentication, the user will not be able to connect to the internal ADFS server.

To solve this issue, FortiWeb can be deployed as an ADFS proxy in your organization’s perimeter network (DMZ or extranet). The external clients connect to FortiWeb when requesting the security token, FortiWeb then forwards the requests to the ADFS server in the internal network. As far as the user is concerned, they do not know they are talking to an ADFS proxy, because the federation services are accessed by the same URLs.

Except from playing the role of ADFS proxy, FortiWeb also acts as a web applicaiton firewall for your ADFS servers. You can leverage the powerful threats protection features on FortiWeb to keep your ADFS servers safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.

The workflow of the ADFS authentication process

The following figure illustrates a typical ADFS authentication process, and the FortiWeb's role in it.

Initiation 1 The user sends access requests to a web applicaiton which requires identity authentication.
2 The web application responds with a URL that redirects the user to the ADFS server for identity authentication.
Certificate authentication process 3A The user sends a certificate authentication request to the service port 49443 of FortiWeb.
4A FortiWeb uses the locally installed CA to verify if the certificate is valid. If yes, FortiWeb forwards the certificate authentication request to the ADFS server.
User credential authentication process 3B The user sends a user name and password authentication request to the service port 443 of FortiWeb.
4B FortiWeb forwards the user name and password to the ADFS server.
Authentication result feedback 5 Upon authenticating, the ADFS server provides the user with an authentication claim.
Connection to web application 6 The user’s browser then forwards this claim to the target application.

FortiWeb supports the following ADFS versions:

  • ADFS 3.0 on Windows Server 2012 R2
  • ADFS 4.0 on Windows Server 2016
  • ADFS 5.0 on Windows Server 2019

From 6.3.0, FortiWeb has added support for Microsoft Server API version 2. In versions earlier than 6.3.0, FortiWeb only supports Microsoft Server API version 1.