AD vs ADFS vs LDAP:像我5岁时解释一下 [英] AD vs ADFS vs LDAP: Explain it like I'm 5

问题描述

我不与Microsoft合作，但是我在概念上难以理解AD，ADFS和LDAP如何协同工作.

I don't work with Microsoft but I'm struggling understanding conceptually how AD, ADFS and LDAP work together.

假设我有一个需要身份提供者的应用程序. AD和LDAP如何发挥作用?

Let's say I have an application that needs an Identity Provider. How does AD and LDAP come into play?

我对Google的搜索还没有为这些概念提供清晰的摘要，但是如果有资源存在，请向我指出.

My googling hasn't come up with a clear summary of these concepts for me, but if there is a resource that exists, please do point me towards it.

推荐答案

AD和LDAP包含用户属性，例如名，姓，电话号码.

AD and LDAP contain user attributes e.g. first name, last name, phone number.

它们还包含用户登录名和密码以及角色(组)，因此可以用于身份验证和授权.

They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.

此身份验证主要使用Kerberos.

This authentication mainly uses Kerberos.

在Microsoft世界中，AD是主要角色，但是如果您要使用简单" AD，则可以使用本质上是LDAP的ADAM/LDS.

In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.

ADFS(IDP)位于这些文件之上，并提供了一个联邦层.

ADFS (an IDP) sits on top of these and provides a federation layer.

联盟是一种概念，通过这种概念，来自公司A的用户可以使用公司A的凭据对公司B上的应用程序进行身份验证.

Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.

它使用三种联合协议之一来执行此操作:

It uses one of three federation protocols to do this:

• SAML 2.0
• WS联合会
• OpenID Connect

结果是一个SAML令牌或JWT(OpenID Connect)，其中包含该用户来自AD的一组属性.这些要提供的属性列表是通过声明规则在ADFS中配置的，令牌中的属性称为声明.

The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.

这篇关于AD vs ADFS vs LDAP:像我5岁时解释一下的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！