Export (0) Print
Expand All

Federated Web SSO with Forest Trust design

Updated: December 15, 2006

Applies To: Windows Server 2003 R2

The Federated Web Single-Sign-On (SSO) with Forest Trust design in Active Directory Federation Services (ADFS) combines two Active Directory forests in a single organization, as shown in the following illustration.

Federated Web SSO with Forest Trust (B2E) design

Typically, you use this design when you want to provide employees on the corporate network and remote employees with federated access to ADFS-secured applications in the perimeter network, while using each employee's standard corporate domain credentials.

The one-way federation trust arrow in the illustration signifies the direction of the trust, which—like the direction of Windows trusts—always points to the account side of the forest. This means that authentication flows from the corporate network to the perimeter network.

Because a forest trust exists between the perimeter network and the corporate network, employee user accounts that are in the corporate network may be used to access the application, which eliminates the need for resource accounts or resource groups. A Windows NT token–based application requires that a user or group exists so that the ADFS token can be mapped into it. However, using Active Directory in the corporate network enables you to deploy the application without user accounts in the perimeter network.

noteNote
If a trust is not in place between the corporate network and the perimeter network and the application in the perimeter network is a Windows NT token–based application, resource accounts or groups must exist in the perimeter network.

In this design, the single A. Datum Corporation organization combines the following ADFS deployment goals:

To learn more about the flow of ADFS communications in this design, see Federated Web SSO with Forest Trust example.

For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO with Forest Trust design, see Checklist: Implementing a Federated Web SSO with Forest Trust Design.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft