Federated Identity Management: ADFS vs OpenID

user2931442 picture user2931442 · Jun 17, 2017 · Viewed 9.1k times · Source

I'm new to Federated Identity Management. I'm trying to understand the differences between the authentication protocols and concepts.

I understood the difference/relationship between OpenID and OAuth. However, I'm still confused about the differences between ADFS, OpenID, IDaaS and Claim-based authentication concept.

I'm looking for high level explanation.

Any help is highly appreciated.

Answer

Anderson Marques picture Anderson Marques · Jun 17, 2017

Well, let I try to explain this:

  • OAuth 2 - Protocol for delegated authorization;
  • OpenID Connect (OIDC) - Protocol build over OAuth2 that allows delegated authentication; Instead of my App implement the authentication, this authentication is realized by a third party.
  • Active Directory Federation Services (ADFS) - Is not a protocol neither a framework. Is a software developed by Microsoft that allows single sign on and Federation for Windows networks.
  • Claim based is the basis of SAML and OIDC JWT tokens. These kinds of tokens have assertions about the subject (entity authenticated) and usually is signed.

Summarizing:

  • OIDC and OAuth 2.0 are protocols. They don't dictate which or how your federation will work. OAuth2 takes place at the authorization stage and OpenID Connect at authentication and federation phases. Any company can, with the public key exposed by OpenID Provider validate the ID Token and, therefore, be part of the Federation.
  • ADFS is as product that allows federation based on SAML protocol (secure but heavier than OIDC)
  • Claim based is used both in OIDC and SAML protocols. The tokens have information that the issuers claim to be correct about some entity. If you rely on token issued by a third part you became a relying party.