Deploying Partner Organizations
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
To deploy a new partner organization, complete the tasks in either Checklist: Configuring the resource partner organization or Checklist: Configuring the account partner organization, depending on your Active Directory Federation Services (ADFS) design.
|When you use either of these checklists, we strongly recommend that you first read the references to account partner or resource partner planning guidance (in the ADFS Design Guide) before continuing to the procedures for setting up the new partner organization. Following the checklist in this way will help provide a better understanding of the full ADFS design and deployment story for the account partner or resource partner organization.|
About account partners
An account partner is the organization in the federation trust relationship that physically stores user accounts in either an Active Directory store or an Active Directory Application Mode (ADAM) store. The account partner is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. These tokens can then be presented across a federation trust to enable access to Web-based resources that are located in the resource partner organization.
In other words, an account partner represents the organization for whose users the account-side Federation Service issues security tokens. The Federation Service in the account partner organization authenticates local users and creates security tokens that are used by the resource partner in making authorization decisions.
With regard to Active Directory, the account partner in ADFS is conceptually equivalent to a single Active Directory forest whose accounts need access to resources that are physically located in another forest. Accounts in this situation forest can access resources in the resource forest only when an external trust or forest trust relationship exists between the two forests and the resources to which the users are trying to gain access have been set with the proper authorization permissions.
About resource partners
The resource partner is the organization in an ADFS deployment where ADFS-enabled Web servers are located. The resource partner trusts the account partner to authenticate users. Therefore, to make authorization decisions, the resource partner consumes the claims that are packaged in security tokens coming from users in the account partner.
In other words, a resource partner represents the organization whose Web servers are protected by the resource-side Federation Service. The Federation Service at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for Web servers in the resource partner.
To function as an ADFS resource, Web servers in the resource partner organization must have the ADFS Web Agent component of ADFS installed. Web servers that function as an ADFS resource can host either claims-aware applications or Windows NT token–based applications. For more information about the two types of applications, see Controlling Access to Web-based Applications (http://go.microsoft.com/fwlink/?LinkId=64040).