0
votes

I have few very specific questions to come to a understanding on Active Directory usage:

  1. ADFS are the services/software to enable SSO login to applications using a single url for users stored in Active Directory. Right?
  2. LDAP is a protocol that exposes other functionalities like fetching users, deleting user, authentication user via bind method etc. stored in Active Directory. Right?
  3. Then can't LDAP and ADFS both work on the same Active directory? This link: LDAP support in ADFS got me confused in where it is referring to LD and AD as separate entities.

Can't I apply both the mechanisms on same AD? I only have knowledge of LDAP. Trying to learn ADFS.

2

2 Answers

1
votes

ADFS provides SSO capabilities for SaaS services and Modern LOB applications. Traditionally, it uses identities stored in Active Directory Domain Services to validate the credentials for a user. In 2016, we also added support to include identities stored in any 3rd party LDAP directory.

Irrespective of where the identity is stored ADFS offers SSO across the applications that trust it.

Hope this clarifies.

Thanks //Sam (Twitter: @MrADFS)

0
votes

AD stores users, groups and credentials.

To access an attribute in AD, you use the LDAP protocol via e.g. the C# Directory Services API.

ADFS handles authentication against AD and also adds a federation layer on top of AD.

The correct way to access AD attributes via ADFS is to use claims-based authentication whereby you configure ADFS to provision the attributes (as claims) into the token and then extract them on the client side.