Active Directory usage by ADFS, LDAP - active-directory

I have few very specific questions to come to a understanding on Active Directory usage:
ADFS are the services/software to enable SSO login to applications using a single url for users stored in Active Directory. Right?
LDAP is a protocol that exposes other functionalities like fetching users, deleting user, authentication user via bind method etc. stored in Active Directory. Right?
Then can't LDAP and ADFS both work on the same Active directory? This link:
LDAP support in ADFS got me confused in where it is referring to LD and AD as separate entities.
Can't I apply both the mechanisms on same AD? I only have knowledge of LDAP. Trying to learn ADFS.

ADFS provides SSO capabilities for SaaS services and Modern LOB applications. Traditionally, it uses identities stored in Active Directory Domain Services to validate the credentials for a user. In 2016, we also added support to include identities stored in any 3rd party LDAP directory.
Irrespective of where the identity is stored ADFS offers SSO across the applications that trust it.
Hope this clarifies.
Thanks //Sam (Twitter: #MrADFS)

AD stores users, groups and credentials.
To access an attribute in AD, you use the LDAP protocol via e.g. the C# Directory Services API.
ADFS handles authentication against AD and also adds a federation layer on top of AD.
The correct way to access AD attributes via ADFS is to use claims-based authentication whereby you configure ADFS to provision the attributes (as claims) into the token and then extract them on the client side.

Related

CAS Central Authentication Service can access google, office365

I want to build an Central Authentication Service on my website help users can access all my organization's service: Email and Drive using Google Suite for Education, Office 365, LMS and LCMS system... Student sign in one-time can access all service (eg. Email from Google).
Is it possible?
What you need to do is configure one identity provider (say Azure Active Directory) as the master and then configure the other (Google) as the subordinate. I don't know if Google supports that or not, but Azure AD does. Information on that is here: Tutorial: Azure Active Directory single sign-on (SSO) integration with Google Cloud (G Suite) Connector.
Okta is another product that solves this type of problem, but that adds more complexity.

Active Directory - Application security purpose

I am fairly new to Active directory and trying to understand it especially from application roles perspective.
I understand the use of Active Directory for authenticating internal corporate users and to implementing SSO across different applications.
What I am trying to gather are scenarios where Active directory can be used for application security ? Is it limited to creating domain users for application to use when interacting with other applications or are there other scenarios where it can be used ?
Example, in below diagram AD DS server has been added to the application landscape for 'computer objects for the failover cluster and its associated clustered roles are created in Active Directory Domain Services (AD DS)'. What does it really mean ?
Azure Active Directory (Azure AD) provides secure and seamless access to cloud and on-premises applications. Users can sign in once to access Office 365 and other business applications from Microsoft, thousands of software as a service (SaaS) applications, on-premises applications, and line of business (LOB) apps. Besides, enabling single sign-on (SSO) across applications and Office 365 provides a superior sign in experience for existing users by reducing or eliminating sign in prompts. For the details, you could read here.
And Azure AD Domain Services provides managed domain services. You can consume these domain services without the need for you to deploy, manage, and patch domain controllers in the cloud. Azure AD Domain Services integrates with your existing Azure AD tenant, thus making it possible for users to log in using their corporate credentials.
For the details about Azure AD Domain Services, please read this doc.

How does ADFS communicate with AD?

How does Active Directory Federation Service (ADFS) connects to a classic on-premise Active Directory Domain Service or simply known as (AD)?
Is it via the protocol HTTP?
AD FS connects to AD as a "standard" active directory supplicant for Username/Password or Certificate Authentication, and as a Kerberos relying party for Kerberos authentication. This means that it uses a variety of protocols to authenticate clients and retrieve user information. Most primarily, Kerberos is used for authentication and LDAP is used for user attribute retrieval.
The full list of ports used for AD Directory Services is quite long, and can be found at Service overview and network port requirements for Windows - Active Directory.
Generally, the AD and AD FS servers are considered to be on the same security level. ADFS Proxies (which are essentially layer-7 firewalls in their own right) are used in the DMZ to provide insulation between active directory and a potential attacker.

Azure AD graph API using on-premise domain

I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!

Difference between an AD server and a CAS server

This is perhaps a dumb question, but I am entirely new in this area and I apologize in advance if it is.
I understand the relationship between Active Directory and LDAP (i.e. LDAP is a protocol that a database based system like Active Directory may use to perform authentication tasks).
However, what does a Central Authentication Service (CAS) Server need to have in addition to an AD to support SSO? Essentially, I'm trying to find out what's the difference between an LDAP server that runs AD and a CAS server.
Essentially Active Directory is a directory server by Microsoft that is accessible over LDAP. LDAP is an open standard protocol for accessing directory servers.
CAS is a server for authenticating users and providing single sign on across disparate clients. CAS can use Active Directory as a source for authentications. CAS can also use LDAP to authenticate users against LDAP capable directory servers.
Have you seen this page? It will hopefully illustrate the overall architecture for you.
https://apereo.github.io/cas/4.2.x/planning/Architecture.html

Resources