ADFS vs SAML – Whats the Difference ? (Explained). Identity and access management (IAM) tools are more in demand due to IT environment nowadays, and growing number of people working remote. Microsoft introduced Active Directory Federation Services (ADFS) as an add-on feature for the Windows Server that allowed users to access to resources outside of the enterprise’s firewall and physical location.
Active Directory Federation Services or ADFS is an access protocol for Single Sign On (SSO). ADFS uses a claim based access control authorization. This method involves authenticating users via cookies and Security Assertion Markup Language, also known as SAML. It means ADFS is a type of Security Token Service or STS. You can configure STS to have trust relationships that also accept OpenID accounts.
If you cannot access complete user data stored in a secure and organized manner, you can never compare that data with what the user is submitting for authentication and are subsequently unable to verify their identity and grant access. For an effective SSO, a robust directory service is always required.
Let us understand how ADFS and SAML function in detail.
How Does Active Directory Federation Services (ADFS) Work?
Active Directory Federation Services is a web service and a feature in the Windows Server operating system that allows you to share identity information outside a company’s network. It’s authenticator tool for users with their usernames and passwords. Users can access certain applications without being prompted to provide login credentials repeatedly.
The applications can be on the cloud, local, or even hosted by other companies. It doesn’t matter who owns these applications or where they live. The user accounts can be maintained by the administrator from a single place Active Directory.
Why Do You Need Active Directory Federation Service ADFS?
Active Directory Federation Services provides a platform for managing online identities and providing single sign on capabilities. At present, this is very important because of the transitions being made from running on premise applications to running applications on the cloud.
However, this model has its limitations for cloud based applications.
For example, when you log on to your computer in the morning using your AD credentials, your identity is established after your credentials get verified. The same credentials will then be used for using any local resources throughout the organization.
Now, if you want to access Apple TV, it won’t recognize you automatically because technically, Apple TV is a cloud based application. Although you are logged in with your domain user id and password, there is no trust between Apple TV and your domain. Apple TV uses its user accounts, so you would have to provide credentials specific to that site.
It is these types of challenges that have made ADFS so important and so widely adopted. Managing credentials across multiple applications can be a nightmare for the users as well as the support staff. ADFS makes it easy.
What Can You Do With ADFS?
The next section of the comparison about ADFS vs SAML, you may have come across the use of the word ‘trust’ between companies/partners before, called Federal Identity Management (FIM). ADFS server runs on this core concept. The concept of FIM is integrated with Windows using Active Directory. Since AD stores information of all users ( usernames and passwords), it acts as the base identity store. ADFS uses all of this identity information in Active Directory and makes it available outside your network. This information can be used by other organizations and applications.
- Identity Federation (Identity Management): Identity management is the process of managing information about the identity of users and controlling access to resources. The basic purpose of the Identity Federation is to have a centralized or linked identity that helps in increasing productivity and security while being cost effective.
- Single Sign On (SSO): It allows computers on your network, both internal and external, to access internet facing applications or services with a single sign on. These user accounts and applications could be located in completely different networks or organizations.
Due to the rising number of applications and services, a centralized login system has become a necessity. It is not only convenient for the users but equally simple to manage.
What Are The Components Of ADFS?
There are four major components of ADFS:
- Active Directory: This is where all the identity information is stored to be used by ADFS.
- Federation Server: It contains the tools that are required to route requests that come in from external users and also hosts.
- Federation Proxy Server: Hosts the Federation Service Proxy role service of ADFS. This is done since the federation server is not exposed directly to the internet as it is heavily dependent on the AD. So the proxy server forwards the requests from the outer world to the federation server.
- ADFS Web Server: This web agent manages security tokens and authentication cookies sent to the web server to authenticate external users.
Limitations Of ADFS
Despite everything that is discussed, there are certain downsides to ADFS from an infrastructure standpoint:
- It does not allow access to share files or print servers
- It does not allow active Directory resources
- It does not authenticate ‘older’ web applications
- It does not allow connection to servers using Remote Desktop
- ADFS, although straightforward, can be complex for novices. ADFS skills are required to be acquired.
- In the present culture of BYOD (bring your own device), ADFS needs to have AD domain accounts which only work on domain joined devices.
What Is Security Assertion Markup Language (SAML)?
Next authenticator tool to compare in the article about ADFS vs SAML is Security Assertion Markup Language (SAML) is an open standard that allows IdP (Identity Providers) to pass authorization credentials to Service Providers (SP). In other words, you can use a single set of credentials to log into different websites. It is always easier to manage one login per user than have separate login credentials to emails, CRM, Active Directory, etc.
SAML transactions use Extensible Markup Language (XML) for standardized communications between the identity provider and service providers. SAML is the bridge between the authentication of a user’s identity and authorization to use a service. SAML enables Single Sign On (SSO), which means the same credentials can be reused to log into other service providers.
What Can You Do With SAML?
SAML helps security landscape in such way that user authentication information is never transmitted through or stored by third-party services but also users have the availability of SSO regardless which service it is.
SAML simplifies federated authentication and authorization processes for users, service providers, and identity providers. SAML allows your service provider and identity providers to exist separately, centralizing user management and providing access to SaaS solutions.
SAML deploys a secure method of passing user authentications and authorizations between the service providers and identity providers. When a user logs into a SAML enabled application, the service provider requests authorization from the appropriate identity provider. The identity provider authenticates the user’s credentials and returns the authorization for the user to the service provider. Now the user is ready to use the application.
SAML authorization tells the service provider what access to grant the authenticated user. It verifies the user identity and credentials (password, two factor authentication, etc.)
As mentioned earlier, there are two primary types of SAML providers:
- Service provider
- Identity provider
A service provider needs authentication from the identity provider to grant authorization to the user. An identity provider performs the authentication that the end user is who they say they are and sends the data to the service provider along with the user’s access rights for the service.
Microsoft Azure or Active Directory are common identity providers. Salesforce and other CRM solutions are generally service providers. In that, they depend on an identity provider for user authentication.
What Is a SAML Assertion?
A SAML Assertion is the XML document that the identity provider sends to the service provider containing user authorization.
There are three types of SAML Assertion:
- Authentication – These assertions prove the identification of the user and provide the time the user logged in and what method of authentication they used.
- Attribution – These assertions pass the SAML attributes to the service provider. SAML attributes are specific pieces of data that provide information about the user.
- Authorization – These assertions define if the user is authorized to use the service or if the identity provider has denied their request due to password failure or lack of rights to the service.
How Does SAML Work?
Security Assertion Markup Language (SAML) works by passing information about users, attributes and logins between the identity provider and service providers. Each user logs in once to SSO (Single Sign On) with the identity provider. Then, the identity provider can pass SAML attributes to the service provider when the user attempts to access those services.
The service provider requests authorization and authentication from the identity provider. Since both the systems speak the same language, the user needs to login just once. Each identity provider and service provider need to agree upon the configuration for SAML. Both ends need to have the exact configuration for the SAML authentication to work.
ADFS vs SAML – Whats the Difference ? Conclusion
SAML Single Sign On works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. The user accesses the remote application on an intranet, a bookmark, or similar and the application loads.
While SAML is an identity provider, ADFS is a service provider. A SAML 2.0 Identity Provider (IdP) can take multiple forms, one of which is a self hosted Active Directory Federation Services (ADFS) server. ADFS is a service provided by Microsoft as a standard for Windows Server that provides a web login using existing Active Directory credentials.
To configure Active Directory Federation Services integration with SAML, users can use their managed account credentials to sign into an enterprise cloud application via Single Sign On (SSO).