What ADFS Does Versus Does Not Do

The table below provides additional information on what ADFS can do versus what it cannot do with a requesting party's application.


What ADFS Does What ADFS Does Not Do
ADFS allows trusted federated partners to authenticate using DOI Active directory. ADFS does not provide authentication services to trusted partners without SAML 2.0 compliant applications.
ADFS provides  Web SSO to federated partners, which enables Requesting Parties’ users to have an SSO experience to access their web-based applications/systems.  ADFS does not extend the schema for Active Directory to create additional custom attributes in AD for the sole purpose of using them as claims.
ADFS defines Claims in terms that each partner understands and appropriately maps in the ADFS trust policy for exchange between federation partners, such as LDAP attributes. ADFS does not authorize users.  The DOI uses ADFS to  authenticate users. Requesting Parties are responsible for authorizing users for their systems and applications. 
ADFS provides an extensible architecture for claim augmentation. For example, it adds or modifies claims using custom business logic during claims processing. ADFS does not allow any Non-Secure Hash Algorithm (SHA256) to utilize ADFS authentication service for their applications and systems.
ADFS provides  the capability to manage one set of credentials for multiple applications and systems.  ADFS does not allow other authentication protocols, such as LDAP. 
ADFS provides authentication services to trusted partners with SAML 2.0 compliant applications. ADFS does not allow IDP initiated SSO
ADFS allows SP initiated SSO Provide access to accounts in or authentication to any AD forest other than net
Provide access to all doi user accounts for authentication. Provide access to authenticate using elevated or privileged accounts
Provide access to authenticate using any doi standard user account  

Was this page helpful?