This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 85%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Microsoft technologies evolve over time and that's fine for those who have followed them from the start and seen the evolution. For those of us coming fresh some time down the path, the relationships are not always clear and we can get confused about what we should be using. This is further complicated in the real world where we have customers running ancient environments who need enhancements but aren't willing or able to upgrade their infrastructure to the latest (yes, many of them are still resisting moving to managed cloud infrastructure).
I have been frantically trying to learn all I can about AD FS and its support for OIDC and OAuth2 for a project for a customer who's still stuck in the dark ages of Windows Server 2012 R2. All was going well enough - tokens, claims, claims engine processing the claim pipeline and either accepting or rejecting claims so as to decide whom to permit access to server resources (Web applications and APIs). Then I came across pages for Windows Identity Foundation talking about making applications and services claims-aware (https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/windows-identity-foundation/wif-overview?redirectedfrom=MSDN).
Up to this point I had been happily labouring under the impression that because Web applications and APIs are resources about which AD FS is aware, AD FS itself can take full responsibility for allowing or blocking access to the Web application or API when a request reaches IIS. But the mention of making applications claims-aware throws this into doubt. Do I need to enhance the Web applications and APIs so that they themselves examine the claims and make the decision as to whether or not to service each request, or is this merely optional capability that I can add in order to support a more nuanced approach then the simple allow/block performed by AD FS?
Also, is WIF server-side only or is it also an alternative to the MS Identity Platform client-side?
Finally, the above-mentioned page also discussed that Federated Identity has three pillars: AD FS, Windows Azure Access Control Services, and WIF. Since my customer is not yet in a position to incorporate any cloud offerings into their ecosystem, I just want to confirm an impression I had already formed, which is that I can employ AD FS and OIDC and OAuth2 without any Azure involvement?
Thanks in advance.
Michael