3.1 Overview

The AD FS authentication process has the following components:

With the AD FS Adapter OAuth installed and configured on AD FS, providing either primary or additional authentication for a Relying Party Trust, a user starts the authentication process by trying to access the Relying Party Trust service when they enter their email address at the login screen.

AD FS asks the AD FS Adapter OAuth if the email address provided is one it recognizes. The AD FS Adapter OAuth currently assumes all email addresses passed to it are acceptable. AD FS starts the authentication process, calling into the AD FS Adapter OAuth and passing in the claim containing the user’s email address.

The AD FS Adapter OAuth then starts the authentication process by displaying a web page, which posts the information to the ADFS Auth web service that will be needed to complete the authentication process with AD FS. The ADFS Auth web service stores this information, whereupon the AD FS Adapter OAuth requests an authorization from the web.oauth2.ext standalone authentication web service.

The standalone authentication web service then takes the user through the authentication process; the user confirms their identity using their registered FIDO authenticator. The authentication web service then redirects to the ADFS Auth web service, passing it the result of the authentication process. The ADFS Auth web service retrieves the information it stored at the start of the process, then passes it back to the AD FS Adapter OAuth along with the result of the authentication process. If the authentication process successfully provided an authorization code, the AD FS Adapter OAuth uses this to obtain an identity token from the standalone authentication web service.

The token is then validated. If validation succeeds, the claims required for a successful AD FS authentication are returned by the AD FS Adapter OAuth to AD FS, and AD FS allows access to the Relying Party Trust.