Difference between adfs and azure AD
Asked Answered
A

2

5

Differences between ADFS and Azure AD

  1. I understand that ADFS is a STS (Secure Token Service) in the sense that it issues tokens to applications that helps applications establish user identity. At an organization level, our org uses ADFS with WS-Federation protocol to authenticate users across all internal application of organization and also implement SSO.

  2. Also in our organization we have Azure AD account, and I have used Azure AD to register our custom apps, and whenever an unauthenticated user enters our app, the person will redirected to azure ad login page and will have to authenticate himself. After successful authentication Azure AD also issues token(ID Token, access token, Refresh Token)

My question is that can I consider Azure AD also a type of STS (Secure Token Service) just like ADFS because it issues tokens to establish client identity?

Ankh answered 2/4, 2019 at 12:35 Comment(0)
C
6

ADFS only handles authentication and authorisation. It does not handle user provisioning.

In that sense ADFS is not an Identity provider, It's just a STS.

You need separate instances of ADFS (auth.) and AD (user). AAD combines both.

As its name implies ADFS is a federation layer that sits on top of AD.

Also, ADFS is an R-STS in that it can be in the middle of a federation chain. It can handle upstream and downstream requests . AAD can't - it is always the endpoint.

ADFS has the power of claims rules, AAD has no such concept.

Corell answered 2/4, 2019 at 17:56 Comment(0)
B
4

Both work as a secure token service.

These are two different services of course, and usually you are responsible for the ADFS infrastructure, while you are not responsible for AAD infrastructure.

Azure AD can also federate authentication to ADFS if you have user sync enabled with Azure AD Connect. In that scenario Azure AD redirects the user to ADFS to authenticate, and trusts the answer ADFS provides. From the point of view of apps it makes no difference how a user authenticates against AAD.

Boxberry answered 2/4, 2019 at 12:50 Comment(5)
Thanks well explained. Does that mean if we are using Azure AD to issue token for authentication , we can also use ADFS as a replacement to achieve the same?Diametrically
Well, it depends. When you use AAD for authentication, you can also call e.g. MS Graph API on behalf of the user. You can't do that with ADFS.Boxberry
I think we can also call graph API to query the AAD , is my understanding correct?Diametrically
how come ADFS is an identity provider? its notWilinski
I could be wrong on that part, I only know ADFS at a high level :)Boxberry

© 2022 - 2024 — McMap. All rights reserved.