Provide single-sign-on access for customers to your hosted applications
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
When your ADFS deployment goal is to provide single-sign-on (SSO) access for customer accounts to hosted applications that are secured by Active Directory Federation Services (ADFS):
Customers who are logged on to the Active Directory Application Mode (ADAM) account store, which is hosted in your perimeter network, can access multiple ADFS-secured applications, which are also hosted in your perimeter network, by logging on one time from client computers that are located on the Internet.
In other words, when you host customer accounts to enable access to applications in your perimeter network, customers that you host in an account store can access one or more applications in the perimeter network simply by logging on once to the Federation Service. For more information, see Web SSO design.
Information in the ADAM account store can be populated into customers' ADFS tokens.
The following components are required for this ADFS deployment goal:
Active Directory: An Active Directory domain is required only for the resource federation server. It is not used to host customer accounts.
ADAM: ADAM is used to contain the customer accounts that will be used to generate ADFS tokens. For more information about Active Directory or ADAM, see Appendix B: Reviewing Key ADFS Concepts.
Note Active Directory may also be used to contain customer accounts that will be used to generate ADFS tokens.
Account/resource federation server: This federation server serves in both the account role and the resource role. The account/resource federation server is configured so that the Federation Service includes values for both an application and an account store—in this case, ADAM—that contains the customer accounts. For more information, see Review the role of the federation server in the account partner organization and Review the role of the federation server in the resource partner organization.
ADFS-enabled Web server: The ADFS-enabled Web server can host a claims-aware application or a Windows NT token–based application. The ADFS Web Agent confirms that it receives valid ADFS tokens from customer accounts before it allows access to the protected Web site. For more information, see When to create an ADFS-enabled Web server.
Customer: While on the Internet, the customer accesses an ADFS-secured Web application through a supported Web browser. The customer client computer on the Internet communicates directly with the federation server for authentication.
The following illustration shows each of the required components for this ADFS deployment goal. In this case, because Active Directory is used only to support the federation server's requirement to be joined to a domain, it is shaded in this illustration.