ADFS 2.0 - what would be the benefit of using AD LDS

Experts,

A friend of mine works for a company that has ADFS 2.0 implemented and federate with vendors.

They are integrating LDS with their ADFS setup.

Question: What does the LDS do for ADFS?  I'm assuming if they are doing LDS, then they are not doing ADDS with ADFS.  What could be some of the reasons why they would do LDS over ADDS?

Please just real explanations from experts and no links.
trojan81Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisCommented:
with ADFS 1.0 they might have been using it for segregated authentication i.e. a different directory structure to store user to minimise exposure to their internal AD

AD LDS is not supported for this function within ADFS 2.0 so I think it can only be used as an attribute store
0
trojan81Author Commented:
irweazelwallis,
appreciate your input. Indeed I think they are using LDS as an attribute store. Is the purpose of LDS is to return attributes to the claims requestor?

Example, vendor B needs to know the user email address, and address, and department.  The LDS job is to return those attributes to the claim requestor?
0
ChrisCommented:
yes that's what its doing.
I know you asked not to paste links but this MSDN ones does a much better job or explaining with an example that i can write in here

http://msdn.microsoft.com/en-us/library/ee895358.aspx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

trojan81Author Commented:
Irweazewallis,

just one more related question.  When ADFS goes down, users can still authenticate to 3rd party apps as long as the AD-LDS is up.  Does that sound right?
0
ChrisCommented:
If by 3rd party apps you mean ones hosted behind ADFS then that doesn't sound right. If ADFS is down then there is nothing to process the claims and pass the authentication to and from the authentication store
0
trojan81Author Commented:
By 3rd party, I mean apps hosted on vendor sites like box.com.

For example, Company X's ADFS is down, but their users can still log into box.com with their AD credential.  Now, if LDS goes down, they are hosed, even if ADFS is still up. Your thoughts?
0
ChrisCommented:
If the authentication requires attributes to form part of the authentication token then stuffed
0
trojan81Author Commented:
irweazelwallis, can you elaborate on that last statement? I think you are on to something.
0
ChrisCommented:
we don't use AD LDS in our implementation but when one of the attribute stores went down ADFS stopped working and authenticating properly.

so i think two statements should be true
the attributes form part of the SAML token and is required for authentication

ADFS requires all its attributes stores to be available to function correctly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.