Web SSO design
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
In the Web Single-Sign-On (SSO) design in Active Directory Federation Services (ADFS), users must authenticate only once to access multiple ADFS-secured applications. In this design all users are external, and no federation trust exists because there are no partners. Typically, you deploy this design when you want to provide customer access to one or more ADFS-secured applications over the Internet, as shown in the following illustration.
With the Web SSO design, an organization that typically hosts an ADFS-secured application in a perimeter network can maintain a separate store of customer accounts in the perimeter network, which makes it easier to isolate customer accounts and employee accounts.
You can manage the local accounts for customers in the perimeter network by using either Active Directory or Active Directory Application Mode (ADAM) as the account store.
This design coincides with the deployment goal to provide SSO access for customers to your hosted applications. For more information, see Provide single-sign-on access for customers to your hosted applications.
To learn more about the flow of ADFS communications in this design, see Web SSO example.
For a list of detailed tasks that you can use to plan and deploy your Web SSO design, see Checklist: Implementing a Web SSO Design.