Difference between adfs and azure AD

3
votes

Differences between ADFS and Azure AD

  1. I understand that ADFS is a STS (Secure Token Service) in the sense that it issues tokens to applications that helps applications establish user identity. At an organization level, our org uses ADFS with WS-Federation protocol to authenticate users across all internal application of organization and also implement SSO.

  2. Also in our organization we have Azure AD account, and I have used Azure AD to register our custom apps, and whenever an unauthenticated user enters our app, the person will redirected to azure ad login page and will have to authenticate himself. After successful authentication Azure AD also issues token(ID Token, access token, Refresh Token)

My question is that can I consider Azure AD also a type of STS (Secure Token Service) just like ADFS because it issues tokens to establish client identity?

2
azureazure-active-directoryadfsws-federation

2 Answers

4
votes

ADFS only handles authentication and authorisation. It does not handle user provisioning.

In that sense ADFS is not an Identity provider, It's just a STS.

You need separate instances of ADFS (auth.) and AD (user). AAD combines both.

As its name implies ADFS is a federation layer that sits on top of AD.

Also, ADFS is an R-STS in that it can be in the middle of a federation chain. It can handle upstream and downstream requests . AAD can't - it is always the endpoint.

ADFS has the power of claims rules, AAD has no such concept.

2
votes

Both work as a secure token service.

These are two different services of course, and usually you are responsible for the ADFS infrastructure, while you are not responsible for AAD infrastructure.

Azure AD can also federate authentication to ADFS if you have user sync enabled with Azure AD Connect. In that scenario Azure AD redirects the user to ADFS to authenticate, and trusts the answer ADFS provides. From the point of view of apps it makes no difference how a user authenticates against AAD.