Microsoft Active Directory Federation Services (AD FS) enables federated identity and access management by securely sharing digital identity and entitlement rights across security and enterprise boundaries. Both AD FS and VMware Workspace ONE Access use a claims-based authentication model to maintain application security and implement federated identity.
Claims-based authentication is the process of authenticating users based on a set of claims about their identity contained in a security token.
A claim typically consists of an Active Directory user attribute, such as the user principal name (UPN) or email address. A security token bundles the set of claims about a particular user in the form of a Security Assertion Markup Language (SAML) assertion.
A claims-based workflow follows this sequence:
- User requests access to an application or resource.
- The application or resource service provider (also called the relying party) redirects the authentication request to the federated identity provider (also called the claims provider).
- If needed, the user is prompted to enter authentication credentials into the claims provider's sign-in portal.
- After authenticating the user's identity, the claims provider issues the security token and sends it back to the federated relying party.
- Upon accepting the token as validation of the user's identity, the relying party grants the user access to the application or resource.
The following table shows the parallels between the terminology used by AD FS and VMware Workspace ONE Access.
|AD FS Term||VMware Workspace ONE Access Term||Description|
|Security Token||Assertion||Collection of SAML-formatted security information describing users, which is created and consumed during a federated access request.|
|Claims Provider or Issuer||Identity Provider (IdP)||Partner in a federation that creates security tokens for users.|
|Relying Party||Service Provider (SP)||Partner in a federation that consumes security tokens for providing access to applications.|
|Claims||Assertion Attributes||Data about users that is sent inside security tokens.|