ADFS endpoints explained
In this blog we will learn what are endpoints in ADFS, we will talk about ADFS endpoints configuration, we will discuss ADFS endpoints list, and how to manage ADFS endpoints with PowerShell.
Table of Contents
Watch video
Join us on our YouTube channel and learn what are endpoints in ADFS and how to manage endpoints using PowerShell commands.
What are endpoints in ADFS
An application can be a browser based application or it can be a rich client application (for example outlook client). That means a user can access this application using a web-browser or using outlook client. And if this application is integrated with ADFS server, then ADFS server should be capable enough to receive all types of applications requests. It should be able to receive the request from web-based applications and from rich-client applications as well.
But how ADFS server will identify that the request that it is getting, is coming from a web-based application or it is a rich-client application? And the answer is, ADFS identifies these requests with the help of endpoints.
When we install ADFS, few endpoints are created automatically. You can access the endpoint of your ADFS server either from ADFS Management Console or you can run Get-ADFSEndpoint in Windows PowerShell on ADFS server and this will list all the endpoints of your ADFS server.
These endpoints are responsible to receive certain types of requests. There are multiple endpoints in ADFS server, but we are going to talk about 2 important endpoints. ADFS/LS and TRUST/MEX.
ADFS/LS endpoint is responsible to receive requests from web-based applications. That means, if user is trying to access a web-based application that request will be processed by ADFS/LS endpoint.
And if user is trying to access a rich-client application, that request will be processed by TRUST/MEX endpoint. Here MEX stands for Exchange Metadata.
Important: When a user tries to access a web-based application, this type of authentication is called Passive Authentication. This type of Authentication request is received by ADFS/LS endpoint. And when user tries to access an outlook desktop application, that type of authentication is called Active authentication. This type of authentication request is processed by TRUST/MEX endpoint.
Important: Both the endpoints are secured with HTTPS. That means any communication that is happening on this endpoint is secured. And these endpoints are secured with the Service Communication certificate of your ADFS server.
If you look at the below endpoint URL, you can see this URL is secured. in this URL you can see the Federation Service Name of the ADFS server (adfs.office365concepts.com). And next to the Federation Service Name you can see the endpoint name (/adfs/ls) which is responsible to receive certain requests.
https://adfs.office365concepts.com/adfs/ls/
ADFS Endpoints Configuration
ADFS endpoints list
To manage endpoints from ADFS server, go to Server Manager, go to Tools and click AD FS Management.
In AD FS Management console, expand Service and click Endpoints. This will list all the endpoints in your ADFS server.
Let’s discuss endpoints properties:
Enabled (Yes/No): If an endpoint is set to Yes under Enabled, that means this endpoint is active and is listening to the traffic. And if endpoint is set to No under Enabled, that means this endpoint is currently not enabled and it will not answer any request.
Proxy Enabled (Yes/No): This indicates that this endpoint is enabled on your ADFS proxy server.
URL Path: Under URL Path you can see complete URL of the endpoints.
Manage ADFS endpoints with PowerShell
To view all the endpoints in ADFS server, run below command in Windows PowerShell on ADFS server.
Get-AdfsEndpoint -FullUrl "https://adfs.office365concepts.com/adfs/ls/"To enable an endpoint run below command:
Enable-ADFSEndpoint -TargetFullUrl "https://adfs.office365concepts.com/adfs/ls/"After running above command, you need to restart ADFS service on the server. And if you have multiple ADFS servers in your farm, you need to restart this service on all the ADFS servers.
To disable ADFS endpoint, run below command in Windows PowerShell on ADFS server.
Disable-ADFSEndpoint -TargetFullUrl "https://adfs.office365concepts.com/adfs/ls/"After running above command, you need to restart ADFS service on the server. And if you have multiple ADFS servers in your farm, you need to restart this service on all the ADFS servers.
If you want to enable an endpoint on Proxy Server, run below command in Windows PowerShell on ADFS server.
Set-ADFSEndpoint -Targetfullurl "https://adfs.office365concepts.com/adfs/ls/" -Proxy $trueNote: This endpoint must be enabled on the ADFS server before you enable it on Proxy Server.
If you to verify, that if ADFS endpoints are working and if they are able to receive requests from the applications, you can copy any endpoint, paste it in the browser, and you should see below xml response.
If you see above response, that means this endpoint is reachable and request can be reached to this particular endpoint.
Conclusion
So in nutshell, endpoints are the entry points for the applications those are responsible to process or to receive certain requests.
In this blog we learnt what are endpoints in ADFS, we learnt how to manage ADFS endpoints with PowerShell and how to list ADFS endpoints in ADFS Management console.
Found this article helpful and informative? Please share it within your community, join us on YouTube for videos on Cloud Technology, and join our Newsletter for early access to the blogs and updates.
Related articles
We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types
How to install ADFS on Windows Server 2016
ADFS claims based architecture
Set up ADFS for Microsoft 365 for Single Sign-On
Happy Learning!!