WS-Federation (WS-Fed) vs WS-Trust in ADFS

WS-Federation (WS-Fed): WS-Fed is a browser-based federation protocol used by passive clients such as web browsers. It enables Single Sign-On by redirecting the user's browser to ADFS, which authenticates the user and returns a SAML token. The primary ADFS endpoint is /adfs/ls/. It is commonly used by legacy web applications and federated Microsoft 365 sign-in.

WS-Trust: WS-Trust is a SOAP-based protocol used by active clients such as Outlook, Office applications, PowerShell, and Windows components. Instead of browser redirects, the client sends SOAP requests directly to ADFS to obtain a security token. Common endpoints include /adfs/services/trust/2005/usernamemixed and /adfs/services/trust/2005/windowstransport.

Role in Device Join (Federated Domains)

Hybrid Entra ID Join for federated domains primarily uses WS-Trust during the silent device registration process. Windows components such as dsregcmd obtain a SAML token from ADFS through WS-Trust and present it to Microsoft Entra ID to register the device. Interactive Azure AD Join scenarios that require a browser-based sign-in can use WS-Federation to authenticate the user through ADFS.

WS-Federation (WS-Fed) WS-Trust
Browser-based (passive) protocol SOAP-based (active) protocol
Used by web browsers Used by Outlook, Office, PowerShell, Windows components
Uses HTTP redirects and form POST Uses SOAP messages
Main endpoint: /adfs/ls/ Endpoints: /adfs/services/trust/2005/usernamemixed, /windowstransport
Primarily interactive authentication Primarily non-interactive/programmatic authentication
Returns SAML token through browser Returns security token in SOAP response
Can be used during interactive Azure AD Join Used during silent Hybrid Entra ID Join for federated domains