AD vs ADFS vs LDAP:像我 5 岁那样解释 [英] AD vs ADFS vs LDAP: Explain it like I'm 5

问题描述

我不与 Microsoft 合作，但我很难从概念上理解 AD、ADFS 和 LDAP 如何协同工作.

I don't work with Microsoft but I'm struggling understanding conceptually how AD, ADFS and LDAP work together.

假设我有一个需要身份提供者的应用程序.AD 和 LDAP 如何发挥作用?

Let's say I have an application that needs an Identity Provider. How does AD and LDAP come into play?

我的谷歌搜索没有为我提供这些概念的清晰总结，但如果有资源存在，请务必指向我.

My googling hasn't come up with a clear summary of these concepts for me, but if there is a resource that exists, please do point me towards it.

推荐答案

AD 和 LDAP 包含用户属性，例如名字、姓氏、电话号码.

AD and LDAP contain user attributes e.g. first name, last name, phone number.

它们还包含用户登录名和密码以及角色(组)，因此可用于身份验证和授权.

They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.

此身份验证主要使用 Kerberos.

This authentication mainly uses Kerberos.

在 Microsoft 世界中，AD 是主要参与者，但如果您想要一个简单"的 AD，您可以使用本质上是 LDAP 的 ADAM/LDS.

In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.

ADFS(一个 IDP)位于这些之上并提供一个联合层.

ADFS (an IDP) sits on top of these and provides a federation layer.

联合是一个概念，公司 A 的用户可以借此向公司 B 上的应用程序进行身份验证，但使用他们公司 A 的凭据.

Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.

它使用三种联邦协议之一来执行此操作:

It uses one of three federation protocols to do this:

• SAML 2.0
• WS 联合
• OpenID 连接

结果是 SAML 令牌或 JWT (OpenID Connect)，其中包含来自该用户的 AD 的一组属性.这些要提供的属性列表是通过声明规则在 ADFS 中配置的，令牌中的属性称为声明.

The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.

这篇关于AD vs ADFS vs LDAP:像我 5 岁那样解释的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！