WS-Federation (WS-Fed) vs WS-Trust in ADFS
WS-Federation (WS-Fed):
WS-Fed is a browser-based federation protocol used by passive clients such as web browsers. It enables Single Sign-On by redirecting the user's browser to ADFS, which authenticates the user and returns a SAML token. The primary ADFS endpoint is /adfs/ls/. It is commonly used by legacy web applications and federated Microsoft 365 sign-in.
WS-Trust:
WS-Trust is a SOAP-based protocol used by active clients such as Outlook, Office applications, PowerShell, and Windows components. Instead of browser redirects, the client sends SOAP requests directly to ADFS to obtain a security token. Common endpoints include /adfs/services/trust/2005/usernamemixed and /adfs/services/trust/2005/windowstransport.
Role in Device Join (Federated Domains)
Hybrid Entra ID Join for federated domains primarily uses WS-Trust during the silent device registration process. Windows components such as dsregcmd obtain a SAML token from ADFS through WS-Trust and present it to Microsoft Entra ID to register the device. Interactive Azure AD Join scenarios that require a browser-based sign-in can use WS-Federation to authenticate the user through ADFS.
| WS-Federation (WS-Fed) | WS-Trust |
| Browser-based (passive) protocol | SOAP-based (active) protocol |
| Used by web browsers | Used by Outlook, Office, PowerShell, Windows components |
| Uses HTTP redirects and form POST | Uses SOAP messages |
| Main endpoint: /adfs/ls/ | Endpoints: /adfs/services/trust/2005/usernamemixed, /windowstransport |
| Primarily interactive authentication | Primarily non-interactive/programmatic authentication |
| Returns SAML token through browser | Returns security token in SOAP response |
| Can be used during interactive Azure AD Join | Used during silent Hybrid Entra ID Join for federated domains |