ADFS - Introduction & How it Works
Posted by , Last modified by on 11 July 2016 03:48 PM

Active Directory Federated Services -- It is an authentication method for users that is used with web applications that talks with active directory on a server.

ADFS is installed on your active directory server (essentially is an add-on to AD). As a school you may also need to turn on a role/several roles to get this working but turning this on could impact other areas of your server. There are also varying scenarios for different school networks in regards to the settings you use.


What does ADFS allow with Frog?

A user (staff or student) will login to their local machines at school with their personal accounts. When they visit Frog through their chosen internet browser they will enter their username only and should then be automatically logged into the platform.


Key Concepts of ADFS

  • User sends authentication request via browser to the ADFS server which checks the user is on Active Directory.
  • The ADFS server then issues a security token to Frog to authenticate the user.
  • Frog trusts the security token from the issuer (ADFS server) due to the relationship that has been established.

The security token contains lots of information about the user. In Frog's case we only check the username.

If an error is produced when attempting to login, make a note of any error codes as the Frog Support Desk may be able to investigate further.

ADFS – How does it work?

  • User logs into local machine at school
  • User uses internet browser to navigate to Frog Platform

User could visit the standard login page or visit because if they are on the local school network they will have an ADFS token so will be logged in. The method below explains auto logging people in with users entering their username.

  • User types in username into username field
  • Authentication request is sent by Frog to the ADFS server. Providing ADFS has been setup correctly the ADFS server should trust the Frog server.
  • At this point the AD server is checked to see if the user is present on that server where their attributes are queried.
  • Providing the user is present a security token is sent from the ADFS server right back to the users internet browser. This token contains the username (and more) for the user trying to login.
  • This security token is then sent from the browser to the Frog server to check if the user exists within Frog.

Providing the user also exists within Frog, the Frog server returns a cookie to your browser and the user should then be logged in. A cookie is a text file stored on your computer containing basic information to ensure you remain logged in during this session on the local computer.

Problems – What to Check?

The common things to check when you experience issues with ADFS not working or get an unhandled exception error:

  1. Server Times -- Check that the time on the Frog server and the time on the ADFS server match.

(Frog 3 - Can be checked in the Toolkit, FrogLearn this must be checked by the Frog Systems Team)

There may be an issue with ADFS working if the times are different on the 2 servers. The Frog server should be set to UK time but you may use a local NTP server to obtain the time which could differ from UK time. Within Frog 3, schools have change the NTP server (IP address) field in order to sync the server time. Within FrogLearn our systems team must currently make this change.

  1. Certificates -- Check the ADFS certificate as it may have expired. You can click on Load Metadata in the System Preferences area of FrogLearn if you think the certificates expired. Issues may occur for schools due to the meta data certificate expiring each year (always issued by the server for one year). This certificate is created (self-signed) by the ADFS server itself specifically for use between a server (Frog in this case) and ADFS. The ADFS server will automatically create a new meta data certificate annually (there would be 2 for example) but Frog will still be pointing to an older certificate so a school must update this manually.
  1. Usernames Match -- Ensure the username in Frog is the same as the username on your AD server.

N.B, If all above have been checked, please call the Frog Support Desk and provide the error reference number and we will assist you further where we can.

(8 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please complete the below captcha challenge (we use this to prevent automated submissions).