When to create an ADFS-enabled Web server

  • Article

Applies To: Windows Server 2003 R2

Create at least one Active Directory Federation Services (ADFS)–enabled Web server in the resource partner organization when you deploy any of the following ADFS designs:

The quickest way to get your federated applications up and running is to install and configure them on a single ADFS-enabled Web server. This way, you can set up a small-scale installation without performing the additional steps necessary to set up an ADFS-enabled Web server farm.

For more information about deploying federated applications, see Designing a Federated Application Strategy.

Why an ADFS-enabled Web server is required

An ADFS-enabled Web server provides the appropriate Web Agent software (ADFS Web Agents)—either claims-aware Web Agents or Windows NT token–based Web Agents—that are necessary for authenticating and authorizing federated access to locally hosted, Web-based applications. ADFS-enabled Web servers use these Web Agents to consume security tokens and authentication cookies—to either allow or deny a user access to the protected application—taking into consideration application-specific access control settings. Web Agents enforce application-based access control requirements by creating a security context in which the application can make the appropriate authorization decision.

For the ADFS-enabled Web server to know what tokens to accept, it must have a relationship with a federation server. This relationship is necessary so that all security tokens that are presented to the Web Agent (and destined for the application) are signed by that federation server (or any of the federation servers that represent that Federation Service). A signed security token indicates that the federation server has successfully verified the authenticity of the federated user.

To summarize, ADFS-enabled Web servers are a critical component of the ADFS infrastructure. ADFS Web Agents on these servers confirm that the incoming security tokens are signed by a valid federation server before they send federated access requests to the protected application.