59

I don't work with Microsoft but I'm struggling understanding conceptually how AD, ADFS and LDAP work together.

Let's say I have an application that needs an Identity Provider. How does AD and LDAP come into play?

My googling hasn't come up with a clear summary of these concepts for me, but if there is a resource that exists, please do point me towards it.

brezotom
  • 715
  • 1
  • 8
  • 12

1 Answers1

86

AD and LDAP contain user attributes e.g. first name, last name, phone number.

They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.

This authentication mainly uses Kerberos.

In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.

ADFS (an IDP) sits on top of these and provides a federation layer.

Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.

It uses one of three federation protocols to do this:

  • SAML 2.0
  • WS-Federation
  • OpenID Connect

The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • 8
    The first sentence of this answer isn't completely correct. LDAP as such is a protocol used by Directory servers including AD(and other directory services like OpenLDAP). If the statement had instead said "LDAP server", I would agree that any directory services server that is LDAP compliant - is a specialized database. I felt it was important to differentiate (unless I am wrong) since the question asked to explain like a 5 yr old. – Vivek H Feb 16 '21 at 18:54