Microsoft Active Directory Federation Services (ADFS)

Microsoft Active Directory Federation Services (AD FS) is Microsoft’s on-premises federation and web SSO server, designed to issue and validate tokens for authentication across internal and external applications. It supports SAML 2.0, WS-Federation/WS-Trust, and—beginning with Windows Server 2016—OpenID Connect/OAuth 2.0 for modern app federation.

Key Capabilities

• Standards-based federation: Acts as both a SAML 2.0 IdP/SP and supports WS-Federation/WS-Trust for SOAP or legacy clients. OpenID Connect/OAuth 2.0 is supported starting from Windows Server 2016 and later versions.

• Web publishing via WAP: The Web Application Proxy serves as a reverse proxy and AD FS proxy, enabling pre-authentication and secure external access to on-premises web applications.

• MFA integration: Offers built-in smart card and certificate-based MFA, along with support for pluggable MFA adapters such as Microsoft Entra MFA, Duo, PingID, CyberArk, and SecureAuth for step-up authentication at AD FS or WAP layers.

Limitations

• Modernization path: Microsoft officially recommends migrating AD FS-integrated applications to Microsoft Entra ID, offering assessment tools and phased migration guides for decommissioning.

• OIDC scope and claims variance: AD FS’s OIDC implementation—particularly in Server 2016—does not include all standard OIDC claims by default; administrators must manually map missing attributes.

• Advanced OAuth profiles: Documentation covers core OIDC/OAuth functionality but lacks confirmation of support for PAR, DPoP, or mTLS-bound tokens.

• Operational overhead: Being self-hosted, AD FS requires manual management of patching, SSL certificates, HA/load balancing, and WAP DMZ architecture.

• Version dependency: Available features and administrative UI vary across Windows Server 2012 R2, 2016, 2019, and 2022. Organizations should verify their farm behavior level to ensure support for newer OIDC and OAuth capabilities.