AD FS is an SSO service which is provided trough the AD-suite. While the AD manages access to services and resources with the AD domain, AD FS is able to provide access to services which are outside the domain. In this regard, AD FS enables access to services within the corporate network (intranet) as well as access to external services, provided by other companies. The latter is enabled trough federated identities.

As AD FS need to communicate with and send data to AD DS, is not compatible with RODC.

AD FS supports several authentication protocols such as

• OpenID Connect (OIDC)

• OAuth 2.0

• SAML 2.0

Note that AD FS does not provide Kerberos authentication as this is handled by the KDC. Instead, AD FS accepts Kerberos as a method of authentication for example when issuing security tokens.

Todo

• Describe federation. 2-way, 1-way etc.

• SSO vs federation: https://www.pingidentity.com/en/resources/blog/post/sso-vs-federated-identity-management.html