AD FS Design Guide

Applies To: Windows Server 2008

Active Directory® Federation Services (AD FS) in the Windows Server® 2008 operating system helps administrators meet federated identity management challenges. It does this by making it possible for organizations to securely share a user's identity information within an organization and across federated organizations—without creating and maintaining external trusts or forest trusts between those organizations. With AD FS, an administrator in an organization can control resources that users in that organization can access—both within that organization and at partner organizations. An administrator can also use AD FS to configure resources that users in other organizations can access. AD FS provides users with a Web-based, single-sign-on (SSO) experience when they access extranet Web sites or sites on the Internet that are accessible through federation partnerships.

For more information about how AD FS works and how to set up AD FS in a test lab, see the following resources:

• Appendix B: Reviewing Key AD FS Concepts

• Active Directory Federation Services Overview (https://go.microsoft.com/fwlink/?LinkId=85683)

• Step-by-Step Guide for AD FS in Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=85685)

About this guide

This guide provides recommendations to help you plan a new deployment of AD FS, based on the requirements of your organization and the particular design that you want to create. This guide is intended for use by an infrastructure specialist or system architect. It highlights your main decision points as you plan your AD FS deployment. Before you read this guide, you should have a good understanding of how AD FS works on a functional level. You should also have a good understanding of the organizational requirements that will be reflected in your AD FS design.

This guide describes a set of deployment goals that are based on three primary AD FS designs, and the guide helps you decide the most appropriate design for your environment. You can use these deployment goals to form one of the following comprehensive AD FS designs or a custom design that meets the needs of your environment:

• Federated Web SSO to support business-to-business (B2B) scenarios and to support collaboration between business units with independent forests

• Federated Web SSO with Forest Trust to support business-to-employee (B2E) scenarios

• Web SSO to support customer access to applications in business-to-consumer (B2C) scenarios

For each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your AD FS deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information necessary to begin deploying AD FS using the guidance in the AD FS Deployment Guide.

Additional references

• Understanding the AD FS Design Process

• Identifying Your AD FS Deployment Goals

• Mapping Your Deployment Goals to an AD FS Design

• Evaluating AD FS Design Examples

• Planning Partner Organization Deployments

• Designing a Federated Application Strategy

• Planning AD FS-Enabled Web Server Placement

• Planning Federation Server Placement

• Planning Federation Server Proxy Placement

• Finding Additional AD FS Resources

• Appendix A: Reviewing AD FS Requirements

• Appendix B: Reviewing Key AD FS Concepts

• Appendix C: Documenting Your AD FS Design