Best IT Recipes

What is the difference between ADFS, WIF, WS Federation, SAML and STS?

These are numerous technologies and keywords used for single sign-on to Microsoft services.

Can anyone explain ADFS, WIF, WS Federation, SAML and STS (Security Token Service), including where and when each is used.

+44
wif adfs single-sign-on saml ws-federation
Nov 02 '11 at 11:02
source share
3 answers

In terms of the big picture:

Suppose an ASP.NET browser-based application requires authentication and authorization.

An application can roll on its own or can outsource it.

WIF is a .NET library that allows ASP.NET to implement this outsourcing.

He talks about STS ( ADFS is an instance of STS), which authenticates itself in the ID repository and provides authorization information in the form of claims. STS provides a set of signed trusted applications.

The protocol used between WIF and ADFS, WS-Federation .

If STS was based on Java (for example, Ping Identity or OpenAM), then WIF will use the SAML protocol for communication. ADFS also supports SAML to enable federation.

(A federation, for example, allows a user in a Java-oriented company A to access an ASP.NET application in a .NET-oriented company B by authenticating against an identity repository. Company A and company B trust each other in the sense of federation.)

+53
Nov 02 '11 at 18:07
source share

  • ADFS (Active Directory Federation Services) is an off-the-shelf security token service (STS), created by Microsoft and built on the basis of the Windows Identity Foundation (WIF). Uses AD for authentication. It can be used in active (SOAP services) or passive (websites) scripts and supports SAML, WS-Federation, WS-Trust and SAML-Protocol tokens. It can be used as an identity provider (against AD) or as a federation provider.

    http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx

  • WIF (Windows Identity Foundation) is a .NET library used for claims-based authentication in .NET applications and relying parties. It can also be used as a WS-Trust client and for building custom STS.

    http://msdn.microsoft.com/en-us/security/aa570351

  • WS-Federation is a protocol used by relying parties and STS to negotiate a security token. An application requests a security token from STS using WS Federation, and STS returns (most of the time) the SAML security token back to the application using the WS Federation protocol. This usually happens via HTTP (GET and POST and redirects). Compare this with WS-Trust, which is entirely web-based.

    http://msdn.microsoft.com/en-us/library/bb498017.aspx

  • SAML tokens (security markup language) are simply the XML format used for security tokens, which usually capture user information (claims) and other relevant security-related data (signatures, issuing token, etc.). The token is used by the application to authenticate users and manage the application (for example, authorization). SAML security tokens are signed for integrity and are possibly encrypted, so only RP and STS can see its contents. On ASP.NET websites using WIF, the token is encrypted by default and placed in cookies, but this can be changed.

    http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

  • STS (Security Token Service). As described above, STS is a broker located between the recipient application and the user. STS is the issuer of security tokens. "Issuer" is often synonymous with STS. STSs are configured in two roles: as identity providers (IdPs), when they authenticate users, or as federation providers (FPs) when they sit in the middle of the trust chain and act as “relying parties” for other IDFs. IdPs need a way to authenticate users. Some (such as ADFS) use Active Directory, others use special databases such as SQL Server membership (not ADFS). If the user authenticates properly, STS will issue a security token.

    http://msdn.microsoft.com/en-us/library/ff650503.aspx

    http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/os/ws-trust-1.4-spec-os.html#_Toc212615442

Hope this helps. There are many concepts and parts that need to be understood in assertion-based authentication. For a complete understanding, you should check the Claims-Based Identification and Access Control Guide .

+96
Nov 02 '11 at 13:10
source share

This post is intended to clarify the SAML tokens supported in ADFS 2.0 and the SAML protocol not supported before ADFS 3.0, the ADFS version in Windows Server 2012 R2

1) SAML protocol is not supported until ADFS 3.0

2). .NET 4.5-based WIF applications require WS-Fed and currently do not support SAML

3) SAML tokens are based on XML. SAML marks are supported in ADFS 2.0 and earlier. ADFS 1.0. 1.1. and 2.0 only support SAML tokens, not protocol

4) If you use WIF, WS-Fed (protocol) is required, so you can do the following:

SAML protocol <---> ADFS <----> WS-FED <----> WIF (.net 4.5)

From the Wiki:

• ADFS 1.0 - Windows Server 2003 R2 (optional)

• ADFS 1.1 - Windows Server 2008 and Windows Server 2008 R2.

• ADFS 2.0 - Windows Server 2008 and Windows Server 2008 R2 (download from Microsoft.com)

• ADFS 2.1 - Windows Server 2012.

• ADFS 3.0 - Windows Server 2012 R2.

+2
May 17 '16 at 10:28 pm
source share


More articles:


All Articles