AD vs ADFS vs LDAP: Explain it like I'm 5

AD and LDAP contain user attributes e.g. first name, last name, phone number.

They also contain a user login and password and roles (groups) so can be used for authentication and authorisation.

This authentication mainly uses Kerberos.

In the Microsoft world, AD is the main player but if you want a "simple" AD, you can use ADAM / LDS that is essentially an LDAP.

ADFS (an IDP) sits on top of these and provides a federation layer.

Federation is a concept whereby users from company A can authenticate to an application on company B but using their company A credentials.

It uses one of three federation protocols to do this:

  • SAML 2.0
  • WS-Federation
  • OpenID Connect

The result is a SAML token or a JWT (OpenID Connect) that contains a set of attributes from an AD for that user. These list of attributes to provide are configured in ADFS via claims rules and the attributes in the token are referred to as claims.

The first sentence of the above answer isn't fully true - isn't it? LDAP as such is a protocol used by Directory servers including AD(and other directory services like OpenLDAP). If the statement had instead said "LDAP server", I would agree that any directory services server that is LDAP compliant - is a specialized database.

I felt it was important to differentiate (unless I am wrong) since the question asked to explain like a 5 yr old.