AD FS Overview
AD FS utilizes claims-based authorization to implement identity federation. By default, VMware Identity Manager uses Security Assertion Markup Language (SAML), which is an assertion-based form of authorization. Conceptually, there are many parallels between SAML and AD FS. Use these similarities, outlined in the above table, as a foundation for understanding VMware Identity Manager and AD FS integration.
1. AD FS Claims
A claim is a statement about a user that includes values about the user (ie: user principal name (UPN), email address, role, group, windows account name, etc.) which are contained in a trusted token. Trusted parties, called relying parties, use the values stored in the claim to determine how to authorize the request.
Claims providers, such as your Active Directory, source and sign these claims. The Federation Service brokers trust between claims providers and relying parties by processing and exchanging claims between these parties to allow for authorization decisions to be made based on the statements of the claim.
- The client requests a trusted token for access to a relying party, such as a web-hosted application.
- The client authenticates against AD FS, validated by the trusted attribute store.
- A trusted token is returned to the client upon successfully authenticating, which presents the trusted token to the relying party.
- The relying party validates that the trusted token and allows access.