ADFS uses terminology from several different technologies,
including certificate services, Internet Information Services
(IIS), Active Directory, ADAM, and Web Services (WS-*). The
following table describes these terms.
Term |
Description |
account partner
|
A federation partner that is
trusted by the Federation
Service to provide security
tokens. The account partner
issues these tokens to its users
(that is, users in the account
partner realm) so that they can
access Web-based applications in
the resource partner.
|
Active Directory Federation
Services (ADFS)
|
A Windows Server 2012 R2 /
2016
component that provides Web SSO
technologies to authenticate a
user to multiple Web
applications over the life of a
single online session. ADFS
accomplishes this by securely
sharing digital identity and
entitlement rights across
security and enterprise
boundaries. ADFS in Windows
Server 2012 R2 / 2016 supports the WS-F
PRP.
|
claim
|
A statement that an issuer
makes (for example, name,
identity, key, group, privilege,
or capability) about a client.
|
claim mapping
|
The act of mapping, removing
or filtering, or passing claims
between various claim sets.
|
claims-aware application
|
An ASP.NET application that
performs authorization based on
the claims that are present in
an ADFS security token, such as SharePoint 2010.
|
client account partner
discovery Web page
|
The Web page that is used to
interact with the user to
determine which account partner
the user belongs to when ADFS
cannot automatically determine
which of the account partners
should authenticate the user.
|
federation |
A pair of realms or domains that have established a federation trust. |
Federation Service
|
A security token service that
is built into Windows Server
2012 R2 / 2016. The Federation Service
provides tokens in response to
requests for security tokens.
|
Federation Service Proxy
|
A proxy to the Federation
Service in the perimeter network
(also known as a DMZ or a
screened subnet). The Federation
Service Proxy uses WS-F PRP
protocols to collect user
credential information from
browser clients and Web
applications and send the
information to the Federation
Service on their behalf.
|
passive client |
A Hypertext Transfer Protocol (HTTP) browser, capable of broadly supported HTTP, that can make use of cookies. ADFS in Windows Server
2012 R2 / 2016 supports only passive clients, and it adheres to the WS-F PRP specification.
|
resource partner
|
A federation partner that
trusts the Federation Service to
issue claims-based security
tokens. The resource partner
contains published Web-based
applications that users in the
account partner can access.
|
security token
|
A cryptographically signed
data unit that expresses one or
more claims.
|
security token service (STS)
|
A Web service that issues
security tokens. An STS makes
assertions based on evidence
that it trusts, to whoever
trusts it (or to specific
recipients). To communicate
trust, a service requires proof,
such as a signature, to prove
knowledge of a security token or
set of security tokens. A
service itself can generate
tokens or it can rely on a
separate STS to issue a security
token with its own trust
statement. This forms the basis
of trust brokering. In ADFS, the
Federation Service is an STS.
|
server farm
|
In ADFS, a collection of
load-balanced federation
servers, federation server
proxies, or Web servers hosting
the ADFS Web Agent.
|
single sign-on (SSO)
|
An optimization of the
authentication sequence to
remove the burden of repeated
logon actions by an end user.
|
token-signing certificate
|
An X509 certificate whose
associated public/private key
pair is used to provide
integrity for security tokens.
|
Uniform Resource Identifier
(URI)
|
A compact string of
characters that identifies an
abstract resource or physical
resource. In ADFS, URIs are used
to uniquely identify partners
and account stores.
|
Web Services (WS-*)
|
The specifications for a Web
Services Architecture that is
based on industry standards such
as Simple Object Access Protocol
(SOAP); XML; Web Service
Description Language (WSDL); and
Universal Description,
Discovery, and Integration
(UDDI). WS-* provides a
foundation for delivering
complete, interoperable business
solutions for the extended
enterprise, including the
ability to manage federated
identity and security.
The Web services model is
based on the idea that
enterprise systems are written
in different languages, with
different programming models,
which run on and are accessed
from many different types of
devices. Web services are a
means of building distributed
systems that can connect and
interact with one another easily
and efficiently across the
Internet, regardless of what
language they are written in or
what platform they run on.
|
Web Services Security
(WS-Security)
|
A series of specifications
that describes how to attach
signature and encryption headers
to SOAP messages. In addition,
WA series of specifications
that describes how to attach
signature and encryption headers
to SOAP messages. In addition,
WS-Security describes how to
attach security tokens,
including binary security tokens
such as X.509 certificates and
Kerberos tickets, to messages.
In ADFS, WS-Security is used
when Kerberos signs security
tokens.
|
WS-Federation |
A specification that defines a model and set of messages for brokering trust and the federation of identity and authentication information across different trust realms.
The WS-Federation
specification identifies two
sources of identity and
authentication requests across
trust realms: active requestors,
such as SOAP-enabled
applications, and passive
requesters, which are defined as
HTTP browsers capable of
supporting broadly supported
HTTP, for example, HTTP 1.1.
|
WS-Federation Passive
Requestor Profile (WS-F PRP)
|
An implementation of the
WS-Federation specification that
proposes a standard protocol for
how passive clients (such as Web
browsers) apply the federation
framework. Within this protocol,
Web service requestors are
expected to understand the new
security mechanisms and be
capable of interacting with Web
service providers.
|