Endpoints
Applies To: Active Directory Federation Services (AD FS) 2.0
Endpoints provide access to the federation server functionality of Active Directory Federation Services (AD FS) 2.0, such as token issuance, and the publishing of federation metadata. Depending on the type of endpoint, you can enable or disable the endpoint or control whether the endpoint is published to federation server proxies.
Warning
As a security best practice, you should enable only the endpoints that are necessary to provide clients with access to your federated applications. New endpoints are normally necessary only for custom-developed client applications. Consult with the developer of the client application to determine which endpoints must be enabled before you deploy the client application to your organization.
Built-in endpoints for AD FS 2.0
The following tables contain descriptions of property fields that distinguish the various built-in endpoints that AD FS 2.0 exposes. These tables include the types of endpoints, their methods of client authentication, and the security modes that they use.
Note
Only endpoints that are of the WS-Trust 1.3 or WS-Trust 2005 type can be reconfigured (that is, enabled or disabled) for server or proxy use.
Endpoint type
Name | Description |
---|---|
WS-Trust 1.3 |
Indicates an endpoint that is based on a standard Simple Object Access Protocol (SOAP)-based protocol for issuing security tokens. For more information, see the OASIS Web site (https://go.microsoft.com/fwlink/?LinkID=74080). |
WS-Trust 2005 |
Indicates an endpoint that is based on an older, prestandard, SOAP-based protocol for issuing security tokens that was published for use in 2005. |
WS-Federation Passive / SAML Web SSO |
Indicates an endpoint that is used to support protocols that redirect Web browser clients to issue security tokens. |
Federation Metadata |
Indicates an endpoint of a standard format for exchanging metadata about a claims provider or a relying party. For more information, see the OASIS Web site (https://go.microsoft.com/fwlink/?LinkID=74080). |
SAML Artifact Resolution |
Indicates an endpoint that is based on the part of the Security Assertion Markup Language (SAML) version 2.0 protocol that describes how a relying party can retrieve a token directly from a claims provider. For more information about this endpoint, see The Role of the AD FS Configuration Database (https://go.microsoft.com/fwlink/?LinkId=181111) in the AD FS 2.0 Design Guide. |
WS-Trust WSDL |
Indicates an endpoint that publishes Web Services Definition Language (WSDL). |
Client credential type
Name | Description |
---|---|
Client Certificate |
Indicates that the client authenticates with an X.509 certificate. |
Digest Password |
Indicates that the client authenticates with a password digest. |
Clear Password |
Indicates that the client authenticates with a password. |
Windows |
Indicates that the client authenticates with Windows Integrated Authentication. |
Kerberos |
Indicates that the client authenticates with Kerberos-based authentication. |
Anonymous |
Indicates that the client is not authenticated. |
SAML Token (Symmetric) |
Indicates that the client uses a SAML token with a symmetric key. |
SAML Token (Asymmetric) |
Indicates that the client uses a SAML token with an asymmetric key. |
Security mode
Name | Description |
---|---|
Transport |
The client credentials are included at the transport layer. Confidentiality is preserved at the transport layer (Secure Sockets Layer (SSL)). |
Mixed |
The client credentials are included in the header of a SOAP message. Confidentiality is preserved at the transport layer (SSL). |
Message |
The client credentials are included in the header of a SOAP message. Confidentiality is preserved by encryption inside the SOAP message. |