Federated Identity Management: ADFS vs OpenID

Asked 16/6, 2017 at 23:58 Answered 18/6, 2017 at 19:41

I'm new to Federated Identity Management. I'm trying to understand the differences between the authentication protocols and concepts.

I understood the difference/relationship between OpenID and OAuth. However, I'm still confused about the differences between ADFS, OpenID, IDaaS and Claim-based authentication concept.

I'm looking for high level explanation.

Any help is highly appreciated.

Predominance answered 16/6, 2017 at 23:58 Comment(0)

Well, let me try to explain this:

OAuth 2 - Protocol for delegated authorization;
OpenID Connect (OIDC) - Protocol built over OAuth2 that allows delegated authentication; Instead of my App implementing the authentication, the authentication is realized by a third party.
Active Directory Federation Services (ADFS) is not a protocol or framework. Instead, it is a software developed by Microsoft that enables single sign-on and Federation for Windows networks.
Claim-based is the foundation of SAML and OIDC JWT tokens. These tokens have assertions about the subject (entity authenticated) and are usually signed.

Summarizing:

OIDC and OAuth 2.0 are protocols. They don't dictate which or how your Federation will work. OAuth2 takes place at the authorization stage and OpenID Connect at the authentication and federation phases. With the public key exposed by the OpenID Connect Provider, any company can validate the ID Token and, therefore, be part of the Federation.
ADFS is a product that allows Federation based on SAML protocol (secure but heavier than OIDC)
Claim-based is used both in OIDC and SAML protocols. The tokens have information that the issuers claim to be correct about some entity. If you rely on a token issued by a third party, you become a relying party.

Cardcarrying answered 17/6, 2017 at 0:21 Comment(5)

Thanks for your answer. So, SAML and OIDC do the same job, so, at least theoretically, it should be possible to have ADFS (which is just a product) and make it use OIDC instead of SAML? – Predominance 17/6, 2017 at 0:49

In addition to the question above, how SSO is related to this? And is SSO supported only by Microsoft or it is a general concept? – Predominance 17/6, 2017 at 15:25

SSO is a concept. One time authenticated in one domain, this authentication remains valid in others domains. You can use a LDAP as user registry and its authentication generate an OIDC token. ADFS extends the LDAP for federation, but targeting Windows network, not applications. Behind ADFS there is a LDAP, that can be thought as a database optimized for read operations. I not sure if you can use ADSF as a simple LDAP. I will do some research and respond back. – Cardcarrying 17/6, 2017 at 17:56

ADSF is a Federated server that issues SAML assertions. There is a OAuth 2 profile to translate a SAML in a Access Token. Consequently, you can use ADSF to do the authentication of the resource owner, before the recording of the OIDC or OAuth permission. See tools.ietf.org/html/rfc7522 and keep in touch. – Cardcarrying 17/6, 2017 at 18:43

Thanks for your help. Now I have better understanding of the topic. Please feel free to add any comments in the future if you come up with something new. – Predominance 17/6, 2017 at 20:24

Just to expand.

When you said, OpenID did you mean that or did you mean OpenID Connect? They are two different protocols and OpenID is very rarely used these days.

ADFS 4.0 (Server 2016) is the only ADFS that has full OpenID Connect / OAuth support (i.e. all four profiles).

Only ADFS 4.0 can use LDAP v3.0 and above for authentication. On earlier versions you have to use AD.

Also SAML and WS-Fed normally use SAML tokens not JWT ones.

Just to point out, ADFS also supports WS-Federation.

Chockablock answered 18/6, 2017 at 19:41 Comment(1)

Thanks to pointing out to ADFS 4.0 OpenId connect support: learn.microsoft.com/en-us/windows-server/identity/ad-fs/… – Footling 16/10, 2018 at 6:59

Recommended topics

Hot tags