Provide federated access for your hosted applications

  • Article

Applies To: Windows Server 2003 R2

When you are the resource partner administrator and you have a deployment goal to provide federated access to an application that resides in your organization (the resource partner organization), federated users both in your organization and in organizations that have configured a federation trust to your organization can access the Active Directory Federation Services (ADFS)-secured application that is hosted by your organization. For more information, see Federated Web SSO design and Federated Web SSO with Forest Trust design.

The following components are required for this deployment goal:

  • Active Directory: The resource federation server must be joined to an Active Directory domain. If Windows NT token–based applications are supported, the domain also serves as the store that contains the resource accounts or resource groups. Claims-aware applications do not require local accounts in Active Directory. For more information about resource accounts and resource groups, see Determine your resource account mapping method.

  • Perimeter DNS: This implementation of Domain Name System (DNS) contains a simple host (A) resource record so that clients can locate the resource federation server and the ADFS-enabled Web server. The DNS server may host other DNS records that are also required in the perimeter network. For more information, see Name resolution requirements for federation servers and Name resolution requirements for ADFS-enabled Web servers.

  • Resource federation server: The resource federation server validates ADFS tokens that the account partners send. Account partner discovery is performed through this federation server. For more information, see Review the role of the federation server in the resource partner organization.

  • ADFS-enabled Web server: The ADFS-enabled Web server can host a claims-aware application or a Windows NT token–based application. (The following illustration shows a claims-aware application.) The ADFS Web Agent confirms that it receives valid ADFS tokens from federated users before it allows access to the protected Web site. For more information, see When to create an ADFS-enabled Web server.

The following illustration shows each of the required components for this ADFS deployment goal.

Perimeter Resource Application design element