WS-Federation vs System.DirectoryServices
https://stackoverflow.com/questions/8750111
-
14-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I got a bit confused. If there is WS-Federation which allows my webservice's users to authenticate via LDAP what is the difference then if I use WS-Federation or System.DirectoryServices namespace in my service code?
Thank you
Solution
There is no comparision between them.
WS-Federation is a protocol for supporting single sign on scenarios. It basically supports two profiles, one for authenticating clients that consumes web services called Active Profile and another profile called passive for authenticating clients in web applications (It uses http).
Active Directory for federated services is an extension built on top of Active Directory to authenticate users with WS-Federation.
DirectoryServices is the api you use to communicate with the Active Directory directly from a .NET application. Nothing to do with authentication.
Regards, Pablo.
OTHER TIPS
The main thing is that WS-Federation delegates the authentication to a token issuer. This allows you to put your directory services authentication code in the token issuer, and design services that 'don't care' about the authentication implementation. You can have your clients authenticate via multiple endpoints at the token issuer with different implementations too. So for example, you can expose endpoints that authenticate via Windows auth, or username/pass , or other mechanisms, but your other services configured to trust the token issuer via federation will not need to care about how you extend your token issuance authentication mechanisms.
You can even 'chain' the federation so that the token issuer is configured to use federation itself, on certain endpoints, delegating token issuance to a completely different token issuer. So, you could this way implement authentication using 3rd party trusted token issuers like 'sign in using facebook', yahoo etc. The way that would work is that federation is set up on your services to trust your token issuer, and your token issuer is set up using federation to trust facebook tokens. This also allows architectures where you have one token issuer in a DMZ, another in your domain, and services in the domain in the backend, and you can have web servers able to authenticate with backend services without any network information or other security related information about your domain available to potential hackers outside the DMZ.
