How do Azure ACS 2.0 security features compare to ADFS 2.0?

Question

I'm configuring my relying party (a website) to use either ADFS or Azure ACS 2.0.

ADFS 2.0 has some interesting features such as Token Replay prevention (in the SQL version) and may have other SAML security features as well (which I may not understand)

Can someone distill the differences between ADFS and ACS security risks?

For example:

Is token replay handled differently in each?
Does the difference in protocol support increase or decrease security?
What is more secure OpenID, OAuth, SAML1 or SAML2, etc...
Is encryption and hashing done similarly?
How are key renewals done? (e.g. ADFS will refresh on an interval)
Can the home realm discovery page be disabled, customized as to not leak IDP's?
...?

Steve · Accepted Answer · 2011-04-11T17:54:33.543

This is a great question. However, there are quite a few differences between ACS v2 and ADFS v2 from a risk perspective.

ACS does not have an IdP, therefore it does not do any authentication, whereas ADFS does.
As far as I understand it, ACS does not attempt to prevent token replays. It leaves that up to the IdP providing the original token, and the RP. I cannot definitevely say this is 100% true though as I can't find any documentation on it, but I'm working on a project to test this... will update with results.
ACS supports 3 token types and protocols (WS-Fed, SAML 1.1/2.0, and SWT), whereas ADFS supports only 2 types (WS-Fed. SAML 1.1/2.0).
ADFS supports custom attribute stores. ACS will only use claims within received tokens.

With all of that being said, I would argue that ACS and ADFS are more complimentary than anything. ACS works nicely as an endpoint for Azure/Cloud hosted applications, as it can be modified relatively easily to accept other IdP's. ADFS works well internally, but its a bit of a pain to add IdP trusts. This gives a security boundary between the application, the environment(cloud et al), and the organization internally.

EDIT: Follow up questions:

In theory SAML 2 is the most secure, but it is also the most complex
More protocol support leads to larger attack surface
Home realm discovery leak (ADFS) -> see here: http://blogs.objectsharp.com/cs/blogs/steve/archive/2011/03/28/plugging-application-authentication-leaks-in-adfs.aspx
Home realm discovery leak (ACS) -> Not as of yet.

What would you compare ACS's "service identities" to? They permit a client to authenticate to ACS with a certificate, password, or PSK. Funny you mention token replays... it is this is what prompted me to ask this question. — makerofthings7, Apr 11 '11 at 17:28
@makerofthings I should have been more specific... Service identities do allow for authn to ACS, but they are not designed for user authentication. — Steve, Apr 11 '11 at 17:45
ADFSv2 doesn't support the Service Identity feature of redirection for OAuth which is included in ACS [more information...](http://security.stackexchange.com/questions/3038/how-does-the-service-identity-feature-of-azure-acs-compare-and-contrast-to-a/3732#3732) — makerofthings7, May 11 '11 at 15:47
ACS supports OpenID whereas ADFS doesn't [more information...](http://msdn.microsoft.com/en-us/library/gg185935.aspx) — makerofthings7, May 11 '11 at 15:49

score 1 · Answer 2 · answered Oct 07 '11 at 14:04

1

By default, tokens can be replayed in the ACS unless the developer takes steps to protect against it.

See this Microsoft published list of security issues what a secure deployment should keep in mind when using ACS

answered Oct 07 '11 at 14:04

makerofthings7

50,090
54
250
536

How do Azure ACS 2.0 security features compare to ADFS 2.0?

2 Answers2