Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AD vs ADFS vs LDAP: Explain it like I'm 5

Tags:

identity

active-directory

ldap

adfs

I don't work with Microsoft but I'm struggling understanding conceptually how AD, ADFS and LDAP work together.

Let's say I have an application that needs an Identity Provider. How does AD and LDAP come into play?

My googling hasn't come up with a clear summary of these concepts for me, but if there is a resource that exists, please do point me towards it.

like image 598
brezotom Avatar asked Jun 24 '18 04:06

brezotom

People also ask

What is the difference between LDAP Active Directory and ADFS?

Whereas ADFS is focused on Windows environments, LDAP is more flexible. It can accommodate other types of computing including Linux/Unix. LDAP is ideal for situations where you need to access data frequently but only add or modify it now and then.

What is LDAP vs Active Directory?

LDAP is a directory services protocol. Active Directory is a directory server that uses the LDAP protocol.

Is ADFS is a LDAP server?

ADFS provides the capability to manage one set of credentials for multiple applications and systems. ADFS does not allow other authentication protocols, such as LDAP. ADFS provides authentication services to trusted partners with SAML 2.0 compliant applications.

What is the difference between ADFS and ad connect?

ADFS requires inbound 443 access to a server in the corporate DMZ. AD Connect only requires outbound traffic. Also, connections to Office 365 can be restricted to only corporate devices using Conditional Access.

1 Answers

AD and LDAP contain user attributes e.g. first name, last name, phone number.

They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.

This authentication mainly uses Kerberos.

In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.

ADFS (an IDP) sits on top of these and provides a federation layer.

Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.

It uses one of three federation protocols to do this:

  • SAML 2.0
  • WS-Federation
  • OpenID Connect

The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.

like image 106
rbrayb Avatar answered Sep 28 '22 07:09

rbrayb
Sign in to Comment

Related questions

Checklist for IIS 6/ASP.NET Windows Authentication?
Find Recursive Group Membership (Active Directory) using C#
LDAP root query syntax to search more than one specific OU
Active Directory - Check username / password
creating a user in Active Directory: A device attached to the system is not functioning
How to get "Company" and "Department" from Active Directory given a UserPrincipal object?
How can I find out which server hosts LDAP on my windows domain?
using windows authentication with active directory groups as roles
Why does Active Directory validate last password?
How to get the current user's Active Directory details in C#
How to programmatically change Active Directory password
Powershell: A positional parameter cannot be found that accepts argument "xxx"
How do I delete an application from azure active directory?
System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred
How do I get the first name and last name of the logged in Windows user?
LDAP through Ruby or Rails
Import-Module : The specified module 'activedirectory' was not loaded because no valid module file was found in any module directory
Difference between PrincipalSearcher and DirectorySearcher
How to get all the AD groups for a particular user?
Built-in helper to parse User.Identity.Name into Domain\Username

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!