Fortinet white logo
Fortinet white logo

Administration Guide

AD FS Proxy

AD FS Proxy

FortiWeb as an AD FS proxy

Active Directory Federation Services (AD FS) is a Single Sign-On (SSO) solution created by Microsoft. It provides users with authenticated access to applications located across organizational boundaries. Developed to provide flexibility, AD FS gives organizations the ability to simplify the user experience: users only need to remember a single set of credentials to access multiple applications through SSO.

Usually, the AD FS server is deployed inside your organization’s internal network. If you have an application (or web service) that is Internet facing, this can cause an issue, becasue when a user on the Internet contacts the application (or web service), then the application redirects the user to the AD FS server for identity authentication, the user will not be able to connect to the internal AD FS server.

To solve this issue, FortiWeb can be deployed as an AD FS proxy in your organization’s perimeter network (DMZ or extranet). The external clients connect to FortiWeb when requesting the security token, FortiWeb then forwards the requests to the AD FS server in the internal network. As far as the user is concerned, they do not know they are talking to an AD FS proxy, because the federation services are accessed by the same URLs.

Except from playing the role of AD FS proxy, FortiWeb also acts as a web applicaiton firewall for your AD FS servers. You can leverage the powerful threats protection features on FortiWeb to keep your AD FS servers safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.

The workflow of the AD FS authentication process

The following figure illustrates a typical AD FS authentication process, and the FortiWeb's role in it.

Initiation 1 The user sends access requests to a web applicaiton which requires identity authentication.
2 The web application responds with a URL that redirects the user to the AD FS server for identity authentication.
Certificate authentication process 3A The user sends a certificate authentication request to the service port 49443 of FortiWeb.
4A FortiWeb uses the locally installed CA to verify if the certificate is valid. If yes, FortiWeb forwards the certificate authentication request to the AD FS server.
User credential authentication process 3B The user sends a user name and password authentication request to the service port 443 of FortiWeb.
4B FortiWeb forwards the user name and password to the AD FS server.
Authentication result feedback 5 Upon authenticating, the AD FS server provides the user with an authentication claim.
Connection to web application 6 The user’s browser then forwards this claim to the target application.

FortiWeb supports the following AD FS versions:

  • AD FS 3.0 on Windows Server 2012 R2
  • AD FS 4.0 on Windows Server 2016
  • AD FS 5.0 on Windows Server 2019

From 6.3.0, FortiWeb has added support for Microsoft Server API version 2. In versions earlier than 6.3.0, FortiWeb only supports Microsoft Server API version 1.

AD FS Proxy

AD FS Proxy

FortiWeb as an AD FS proxy

Active Directory Federation Services (AD FS) is a Single Sign-On (SSO) solution created by Microsoft. It provides users with authenticated access to applications located across organizational boundaries. Developed to provide flexibility, AD FS gives organizations the ability to simplify the user experience: users only need to remember a single set of credentials to access multiple applications through SSO.

Usually, the AD FS server is deployed inside your organization’s internal network. If you have an application (or web service) that is Internet facing, this can cause an issue, becasue when a user on the Internet contacts the application (or web service), then the application redirects the user to the AD FS server for identity authentication, the user will not be able to connect to the internal AD FS server.

To solve this issue, FortiWeb can be deployed as an AD FS proxy in your organization’s perimeter network (DMZ or extranet). The external clients connect to FortiWeb when requesting the security token, FortiWeb then forwards the requests to the AD FS server in the internal network. As far as the user is concerned, they do not know they are talking to an AD FS proxy, because the federation services are accessed by the same URLs.

Except from playing the role of AD FS proxy, FortiWeb also acts as a web applicaiton firewall for your AD FS servers. You can leverage the powerful threats protection features on FortiWeb to keep your AD FS servers safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.

The workflow of the AD FS authentication process

The following figure illustrates a typical AD FS authentication process, and the FortiWeb's role in it.

Initiation 1 The user sends access requests to a web applicaiton which requires identity authentication.
2 The web application responds with a URL that redirects the user to the AD FS server for identity authentication.
Certificate authentication process 3A The user sends a certificate authentication request to the service port 49443 of FortiWeb.
4A FortiWeb uses the locally installed CA to verify if the certificate is valid. If yes, FortiWeb forwards the certificate authentication request to the AD FS server.
User credential authentication process 3B The user sends a user name and password authentication request to the service port 443 of FortiWeb.
4B FortiWeb forwards the user name and password to the AD FS server.
Authentication result feedback 5 Upon authenticating, the AD FS server provides the user with an authentication claim.
Connection to web application 6 The user’s browser then forwards this claim to the target application.

FortiWeb supports the following AD FS versions:

  • AD FS 3.0 on Windows Server 2012 R2
  • AD FS 4.0 on Windows Server 2016
  • AD FS 5.0 on Windows Server 2019

From 6.3.0, FortiWeb has added support for Microsoft Server API version 2. In versions earlier than 6.3.0, FortiWeb only supports Microsoft Server API version 1.