What is VDS (Virtual Directory Server)?

AKA: Windows LDAP Middleware

VDS is a powerful tool to customize your identity infrastructure and to integrate it with your overall architecture. VDS was designed to overcome the limitations of identity data repositories and identity consuming applications by creating a highly versatile layer between them. VDS functions as an LDAP proxy, as well as providing a virtual directory facility. In addition to its extensive support for the LDAP protocol, VDS offers support for a number of other protocols as well, making it a valuable tool for developers and administrators alike.

What can you do with VDS?

VDS is an open platform that allows you to customize and program a wide variety of actions. As a result, the number of things you can do with VDS is virtually endless. The following is not a complete list, but it will give you an idea of how VDS is currently being used:

  • Mapping of attributes, values and suffixes
  • Integrating multiple directories
  • Joining of directory and identity data
  • Access control
  • Validating data before it gets written to the Directory
  • Operation target routing (i.e. route read requests to replicas, route write requests to master servers)
  • Data distribution / Partitioning
  • Creating virtual directories that span multiple data sources
  • Enforcing referential integrity
  • Triggering external actions
  • Integrating directories with web services (XML / SOAP)
  • Integrating or enabling single-sign-on architectures
  • Operation load balancing
  • Failover
  • Extended operation filtering
  • Filter processing
  • Backend monitoring / health checking
  • And many more

What is ADFS (Active Directory Federation Services)?

AD FS is a standards-based service that allows the secure sharing of cloud identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.

What can you do with ADFS?

The following is a brief list of the major benefits to using AD FS:

  • Web single sign on (SSO)
  • AD FS provides Web SSO to federated partners outside your organization, which enables their users to have a SSO experience when they access your organization’s Web-based applications.
  • Web Services (WS)-* interoperability
  • AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS follows the WS-Federation specification (for passive clients; that is, browsers), which makes it possible for environments that do not use the Windows identity model to federate with Windows environments.
  • Partner user account management not required
  • The federated partner's Identity Provider (IP) sends claims that reflect its users' identity, groups, and attribute data. Therefore, your organization no longer needs to revoke, change, or reset the credentials for the partner's users, since the credentials are managed by the partner organization. Additionally, if a partnership needs to be terminated, it can be performed with a single trust policy change. Without AD FS, individual accounts for each partner user would need to be deactivated.
  • Claim mapping
  • Claims are defined in terms that each partner understands and appropriately mapped in the AD FS trust policy for exchange between federation partners.
  • Centralized federated partner management
  • All federated partner management is performed using the AD FS Microsoft Management Console (MMC) snap-in.
  • Extensible architecture

AD FS provides an extensible architecture for claim augmentation, for example, adding or modifying claims using custom business logic during claims processing. Organizations can use this extensibility to modify AD FS to finely support their business policies.