Federated Identity Management: ADFS vs OpenID

openid adfs federated-identity
10,536

Solution 1

Well, let I try to explain this:

  • OAuth 2 - Protocol for delegated authorization;
  • OpenID Connect (OIDC) - Protocol build over OAuth2 that allows delegated authentication; Instead of my App implement the authentication, this authentication is realized by a third party.
  • Active Directory Federation Services (ADFS) - Is not a protocol neither a framework. Is a software developed by Microsoft that allows single sign on and Federation for Windows networks.
  • Claim based is the basis of SAML and OIDC JWT tokens. These kinds of tokens have assertions about the subject (entity authenticated) and usually is signed.

Summarizing:

  • OIDC and OAuth 2.0 are protocols. They don't dictate which or how your federation will work. OAuth2 takes place at the authorization stage and OpenID Connect at authentication and federation phases. Any company can, with the public key exposed by OpenID Provider validate the ID Token and, therefore, be part of the Federation.
  • ADFS is as product that allows federation based on SAML protocol (secure but heavier than OIDC)
  • Claim based is used both in OIDC and SAML protocols. The tokens have information that the issuers claim to be correct about some entity. If you rely on token issued by a third part you became a relying party.

Solution 2

Just to expand.

When you said, OpenID did you mean that or did you mean OpenID Connect? They are two different protocols and OpenID is very rarely used these days.

ADFS 4.0 (Server 2016) is the only ADFS that has full OpenID Connect / OAuth support (i.e. all four profiles).

Only ADFS 4.0 can use LDAP v3.0 and above for authentication. On earlier versions you have to use AD.

Also SAML and WS-Fed normally use SAML tokens not JWT ones.

Just to point out, ADFS also supports WS-Federation.

Share:
10,536
user2931442
Author by

user2931442

Updated on June 23, 2022

Comments

  • user2931442
    user2931442 almost 2 years

    I'm new to Federated Identity Management. I'm trying to understand the differences between the authentication protocols and concepts.

    I understood the difference/relationship between OpenID and OAuth. However, I'm still confused about the differences between ADFS, OpenID, IDaaS and Claim-based authentication concept.

    I'm looking for high level explanation.

    Any help is highly appreciated.

  • user2931442
    user2931442 almost 7 years
    Thanks for your answer. So, SAML and OIDC do the same job, so, at least theoretically, it should be possible to have ADFS (which is just a product) and make it use OIDC instead of SAML?
  • user2931442
    user2931442 almost 7 years
    In addition to the question above, how SSO is related to this? And is SSO supported only by Microsoft or it is a general concept?
  • Anderson Marques
    Anderson Marques almost 7 years
    SSO is a concept. One time authenticated in one domain, this authentication​ remains valid in others​ domains​. You can use a LDAP as user registry and its authentication generate an OIDC token. ADFS extends the LDAP for federation, but targeting Windows network, not applications. Behind ADFS there is a LDAP, that can be thought as a database optimized for read operations. I not sure if you can use ADSF as a simple LDAP. I will do some research and respond back.
  • Anderson Marques
    Anderson Marques almost 7 years
    ADSF is a Federated server that issues SAML assertions. There is a OAuth 2 profile to translate a SAML in a Access Token. Consequently, you can use ADSF to do the authentication of the resource owner, before the recording​ of the OIDC or OAuth permission. See tools.ietf.org/html/rfc7522 and keep in touch.
  • user2931442
    user2931442 almost 7 years
    Thanks for your help. Now I have better understanding of the topic. Please feel free to add any comments in the future if you come up with something new.
  • Miha Pirnat
    Miha Pirnat over 5 years
    Thanks to pointing out to ADFS 4.0 OpenId connect support: docs.microsoft.com/en-us/windows-server/identity/ad-fs/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Authenticate flutter app with keycloak and openid_client
An unsecured or incorrectly secured fault was received from the other party.(When working with SAML )
ADFS STS authentication with console application
Login to site using Gmail
SAML LogOutRequest processing failed on ADFS server
Refresh token with Keycloak
Pass SAML token into web api call
NTLM authentication to AD FS for non-IE browser without 'Extended Protection' switched off?
How do I setup a valid on-premise ADFS URI?
Identity Server 4 - Getting invalid_client error