For a non-Microsoft person, what is ADFS?
ADFS is Microsoft's solution for Single Sign On et web based authentication.
C'est used primarily to provide a single set of credentials that can access a variety of sites pas necessarily hosted within le même domain.
How does it differ to things like LDAP?
LDAP:
Communicates using TCP/UDP on port 389 (or port 636 for LDAPS)
Contains commands for searching/retrieving/adding/deleting/modifying users, profiles et autre directory entries
Can not be performed directly by a web browser, however HTTP authentication can be translated to LDAP using things like Apache's mod_authnz_ldap.
When used for third-party website authentication, requires that username & password are provided to le third-party, qui is pas ideal for security.
Is more of an open standard et has numerous Linux implementations.
ADFS:
Better designed for le web as it communicates over standard HTTPS
Follows a safer process similaire (but pas exact) to OAuth où le original username/password are provided directly to le organisation's ADFS server (or a proxy, mais not le third-party), qui si valid, returns a unique token that can be used to access a third-party website.
Although it does use make use of certains open standards (HTTPS, SAML etc.) it is Microsoft-specific et requires Internet Information Services (IIS) qui seulement runs on Windows Servers.
See aussi this answer on le subject.
How does it work? What kind of information would be included in a typical request to an ADFS server? Is it designed for les deux authentication et authorization?
It works by having a single site (site A) that hosts le ADFS / ADFS proxy servers, qui has access to le credentials (usually by communicating avec an Active Directory Domain Controller). C'est alors given a trust entre autre sites (sites B & C) that require authenticating through le ADFS.
When a user attempts to access site B in leur browser, le site redirects le user to le ADFS-proxy website (site A) qui asks for leur username & password, authenticates them, returns a set of cookies for remembering them, et redirects them back to le site B, along avec an access token.
If le user alors attempts to visit site C, they will aussi get redirected to site A for authentication depuis le ADFS-proxy website. If le right cookies exist, le user will pas be requis to enter leur password again, mais get instantly redirected back to site C avec a token.
The ADFS can be configured avec spécifique claims (or permissions) for le user, for authorization purposes. So it can serve les deux roles. (Note le difference between authentication and authorization.)
Some people prefer pas to use it for authorization mais à la place keep le permissions management in le third-party website. The obvious downside is that les deux site A & B need to keep track of user accounts, tandis que in le scenario où ADFS handles both, seulement le ADFS needs to be aware of le users.
Are ADFS servers typically accessible depuis le internet (whereas corporate AD domain controllers would pas be)?
Yes, nearly always. ADFS is based on le notion that it will be primarily used for website authentication. And is built around IIS.
The ADFS-proxy site is le one that is usually accessible depuis le internet. However le ADFS itself is not. The ADFS is generally a separate server depuis le ADFS-proxy.
Server that links to le credentials, et has le claims configuration as well as le trusts. Generally pas publicly accessible.
Server that hosts le IIS instance that has le login pages for le websites requiring authentication. Communicates back to le ADFS quand requiring authentication. Generally publicly accessible.
