AD vs ADFS vs LDAP: Explain it like I'm 5

brezotom picture brezotom · Jun 24, 2018 · Viewed 20.5k times · Source

I don't work with Microsoft but I'm struggling understanding conceptually how AD, ADFS and LDAP work together.

Let's say I have an application that needs an Identity Provider. How does AD and LDAP come into play?

My googling hasn't come up with a clear summary of these concepts for me, but if there is a resource that exists, please do point me towards it.

Answer

rbrayb picture rbrayb · Jun 26, 2018

AD and LDAP contain user attributes e.g. first name, last name, phone number.

They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.

This authentication mainly uses Kerberos.

In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.

ADFS (an IDP) sits on top of these and provides a federation layer.

Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.

It uses one of three federation protocols to do this:

  • SAML 2.0
  • WS-Federation
  • OpenID Connect

The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.