Search code examples
openidadfsfederated-identity

Federated Identity Management: ADFS vs OpenID

I'm new to Federated Identity Management. I'm trying to understand the differences between the authentication protocols and concepts.

I understood the difference/relationship between OpenID and OAuth. However, I'm still confused about the differences between ADFS, OpenID, IDaaS and Claim-based authentication concept.

I'm looking for high level explanation.

Any help is highly appreciated.

Solution

  • Well, let me try to explain this:

    • OAuth 2 - Protocol for delegated authorization;
    • OpenID Connect (OIDC) - Protocol built over OAuth2 that allows delegated authentication; Instead of my App implementing the authentication, the authentication is realized by a third party.
    • Active Directory Federation Services (ADFS) is not a protocol or framework. Instead, it is a software developed by Microsoft that enables single sign-on and Federation for Windows networks.
    • Claim-based is the foundation of SAML and OIDC JWT tokens. These tokens have assertions about the subject (entity authenticated) and are usually signed.

    Summarizing:

    • OIDC and OAuth 2.0 are protocols. They don't dictate which or how your Federation will work. OAuth2 takes place at the authorization stage and OpenID Connect at the authentication and federation phases. With the public key exposed by the OpenID Connect Provider, any company can validate the ID Token and, therefore, be part of the Federation.
    • ADFS is a product that allows Federation based on SAML protocol (secure but heavier than OIDC)
    • Claim-based is used both in OIDC and SAML protocols. The tokens have information that the issuers claim to be correct about some entity. If you rely on a token issued by a third party, you become a relying party.