Endpoints

Applies To: Active Directory Federation Services (AD FS) 2.0

Endpoints provide access to the federation server functionality of Active Directory Federation Services (AD FS) 2.0, such as token issuance, and the publishing of federation metadata. Depending on the type of endpoint, you can enable or disable the endpoint or control whether the endpoint is published to federation server proxies.

Warning

As a security best practice, you should enable only the endpoints that are necessary to provide clients with access to your federated applications. New endpoints are normally necessary only for custom-developed client applications. Consult with the developer of the client application to determine which endpoints must be enabled before you deploy the client application to your organization.

Built-in endpoints for AD FS 2.0

The following tables contain descriptions of property fields that distinguish the various built-in endpoints that AD FS 2.0 exposes. These tables include the types of endpoints, their methods of client authentication, and the security modes that they use.

Note

Only endpoints that are of the WS-Trust 1.3 or WS-Trust 2005 type can be reconfigured (that is, enabled or disabled) for server or proxy use.

Endpoint type

Name Description

WS-Trust 1.3

Indicates an endpoint that is based on a standard Simple Object Access Protocol (SOAP)-based protocol for issuing security tokens. For more information, see the OASIS Web site (https://go.microsoft.com/fwlink/?LinkID=74080).

WS-Trust 2005

Indicates an endpoint that is based on an older, prestandard, SOAP-based protocol for issuing security tokens that was published for use in 2005.

WS-Federation Passive / SAML Web SSO

Indicates an endpoint that is used to support protocols that redirect Web browser clients to issue security tokens.

Federation Metadata

Indicates an endpoint of a standard format for exchanging metadata about a claims provider or a relying party. For more information, see the OASIS Web site (https://go.microsoft.com/fwlink/?LinkID=74080).

SAML Artifact Resolution

Indicates an endpoint that is based on the part of the Security Assertion Markup Language (SAML) version 2.0 protocol that describes how a relying party can retrieve a token directly from a claims provider.

For more information about this endpoint, see The Role of the AD FS Configuration Database (https://go.microsoft.com/fwlink/?LinkId=181111) in the AD FS 2.0 Design Guide.

WS-Trust WSDL

Indicates an endpoint that publishes Web Services Definition Language (WSDL).

Client credential type

Name Description

Client Certificate

Indicates that the client authenticates with an X.509 certificate.

Digest Password

Indicates that the client authenticates with a password digest.

Clear Password

Indicates that the client authenticates with a password.

Windows

Indicates that the client authenticates with Windows Integrated Authentication.

Kerberos

Indicates that the client authenticates with Kerberos-based authentication.

Anonymous

Indicates that the client is not authenticated.

SAML Token (Symmetric)

Indicates that the client uses a SAML token with a symmetric key.

SAML Token (Asymmetric)

Indicates that the client uses a SAML token with an asymmetric key.

Security mode

Name Description

Transport

The client credentials are included at the transport layer. Confidentiality is preserved at the transport layer (Secure Sockets Layer (SSL)).

Mixed

The client credentials are included in the header of a SOAP message. Confidentiality is preserved at the transport layer (SSL).

Message

The client credentials are included in the header of a SOAP message. Confidentiality is preserved by encryption inside the SOAP message.