Menu
I don't work with Microsoft but I'm struggling understanding conceptually how AD, ADFS and LDAP work together.
Let's say I have an application that needs an Identity Provider. How does AD and LDAP come into play?
My googling hasn't come up with a clear summary of these concepts for me, but if there is a resource that exists, please do point me towards it.
598
Whereas ADFS is focused on Windows environments, LDAP is more flexible. It can accommodate other types of computing including Linux/Unix. LDAP is ideal for situations where you need to access data frequently but only add or modify it now and then.
LDAP is a directory services protocol. Active Directory is a directory server that uses the LDAP protocol.
ADFS provides the capability to manage one set of credentials for multiple applications and systems. ADFS does not allow other authentication protocols, such as LDAP. ADFS provides authentication services to trusted partners with SAML 2.0 compliant applications.
ADFS requires inbound 443 access to a server in the corporate DMZ. AD Connect only requires outbound traffic. Also, connections to Office 365 can be restricted to only corporate devices using Conditional Access.
AD and LDAP contain user attributes e.g. first name, last name, phone number.
They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.
This authentication mainly uses Kerberos.
In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.
ADFS (an IDP) sits on top of these and provides a federation layer.
Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.
It uses one of three federation protocols to do this:
The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
