Differences between ADFS and Azure AD
I understand that ADFS is a STS (Secure Token Service) in the sense that it issues tokens to applications that helps applications establish user identity. At an organization level, our org uses ADFS with WS-Federation protocol to authenticate users across all internal application of organization and also implement SSO.
Also in our organization we have Azure AD account, and I have used Azure AD to register our custom apps, and whenever an unauthenticated user enters our app, the person will redirected to azure ad login page and will have to authenticate himself. After successful authentication Azure AD also issues token(ID Token, access token, Refresh Token)
My question is that can I consider Azure AD also a type of STS (Secure Token Service) just like ADFS because it issues tokens to establish client identity?
ADFS only handles authentication and authorisation. It does not handle user provisioning.
In that sense ADFS is not an Identity provider, It's just a STS.
You need separate instances of ADFS (auth.) and AD (user). AAD combines both.
As its name implies ADFS is a federation layer that sits on top of AD.
Also, ADFS is an R-STS in that it can be in the middle of a federation chain. It can handle upstream and downstream requests . AAD can't - it is always the endpoint.
ADFS has the power of claims rules, AAD has no such concept.
Both work as a secure token service.
These are two different services of course, and usually you are responsible for the ADFS infrastructure, while you are not responsible for AAD infrastructure.
Azure AD can also federate authentication to ADFS if you have user sync enabled with Azure AD Connect.
In that scenario Azure AD redirects the user to ADFS to authenticate, and trusts the answer ADFS provides.
From the point of view of apps it makes no difference how a user authenticates against AAD.
Related
Newbie to Microsoft SSO Authentication.
Have metadata, pubic cert and login url and Azure AD identifier and entityid.
When I was going through this SAML2.0 i see diff types of auth strategies like Federation Services, ADFS, Active Directory, Azure Directory... Getting confused and trying to visualize the type of authentication these details support.
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal
Can somebody point me what type of authentication that we can provide with below details ?
metadata, pubic cert and login url and Azure AD identifier and entityid.
Regards,
likki.
We install adfs on Windows Server operating systems. It extends on-prem identities managed within AD to cloud applications through both SAML and OAuth. AD FS is meant for on-prem environments and does not authenticate through Azure infrastructure; it only authenticates against Active Directory.
AAD mainly serves as a cloud-based user management, as well as offers SSO capabilities for web applications. In fact, it authenticates users to their applications in much the same way as AD FS. The difference is that AAD authenticates via the cloud and AD FS authenticates on-prem.
Federation - When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation.
With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO. Use federated SSO with Azure AD when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).
So, if you want authenticate with cloud users you can go with azure ad or else if you want to use your on-premise user identities authenticate users for the application you can go with ADFS.
You can find more information here What is single sign-on? - Azure AD | Microsoft Docs
AD FS is configured with custom policies as a claims provider on Azure AD B2C using WS-Federation and SAML. The relying party on Azure AD B2C is using OpenID Connect.
Is it possible to do front-channel single logout initiated through OpenID Connect?
OpenID Connect Front-Channel Logout 1.0 - draft 02: http://openid.net/specs/openid-connect-frontchannel-1_0-ID1.html
Single logout is initiated from the relying party using OpenID Connect and continued through Azure AD B2C using WS-Federation and reaching the AD FS. Thereby terminating the session in both the relying party, Azure AD B2C and AD FS.
If so, how is that configured in Azure AD B2C with custom policies?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
That practice is highly discouraged as it's quite invasive on the end user and risks discouraging the user from doing SSO, rather opting for local accounts.
For example, if the user signed in using Facebook and then signs out of your application, they'll probably be very annoyed by the fact that they've also been signed out of Facebook and after enough times of this happening, might give up on SSO using Facebook and just create a local account that doesn't messes up their experiences elsewhere. A similar case could be made for business customers that, by signing out of your app, also get signed out of all of their other business apps.
All that said, you can still request support for this via the Azure AD B2C feedback forum.
"I have an application where I have users authenticated with multiple directories all federated using a ADFS. There is a central ADFS that does the federated and routing to the correct IDP. Most IDP are ADFS that add claims to the SAML token by using the normal ADFS rules. We now have some customers that want to use Azure AD as IDP, but this seems not to allow to add claims like ADFS.
What would be the way to add custom claims to a saml token using Azure AD?"
You can do this by adding your application in Azure AD Directory Portal via the Application Gallery. This gives you the opportunity to add claims to the outgoing SAML Token.
If you have Azure AD Premium you can add your own application (that accept SAML 2.0) and configure the extra claims via the "Attributes tab"
If you or your customers do not have Azure AD Premium you will have to have you app added to the Azure AD Application Gallery. The process for this is described in https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/
I'm trying to federate on premise ADFS 3.0 instance with Azure Active Direcotry instance. The idea is to allow AAD (azure) users to authenticate to an application which trusts the ADFS instance.
I added azure AD to claims provider trusts in ADFS (using it's federation metadata document path)
then I create an application in AAD which has identifier of the ADFS (e.g. https://fs.somedomain.com/adfs/services/trust
ADFS instance then correctly displays AZURE as special realm.
The only thing I can't figure out is what should be the reply url in azure application settings, so the ADFS instance redirects authenticated request to correct application.
It's the normal adfs/ls.
You just need to configure the URL and URI.
Refer: Azure AD as IdP with AD FS as RP.
We are developing a multi-tenant application and would like to be listed on Azure and support Azure AD as an IdP for our customers. However, a few customers that already have ADFS 2.0 setup didn't like the idea of sync'ing all accounts and passwords to Azure AD. So, is there anyway that when Azure AD receives a login request, somehow, have it redirect to ADFS and let ADFS do all the magic and return a token back to Azure AD which then returns JWT (using OpenID Connect) to our application?
I know that ACS supports such scenario but we are worried that Microsoft would soon drop support for it.
Thanks!
This document details how your customers can federate their ADFS instance with Azure AD:
https://technet.microsoft.com/library/dn550987.aspx