AD FS 2.0 Terminology

Applies To: Active Directory Federation Services (AD FS) 2.0

Active Directory Federation Services (AD FS) 2.0 uses terminology from several technologies, including Active Directory Certificate Services (AD CS), Internet Information Services (IIS), Active Directory in Windows Server 2003 or Active Directory Domain Services (AD DS) in Windows Server 2008, Active Directory Application Mode (ADAM) in Windows Server 2003 or Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008, and Web Services (WS-*).

The following table defines these terms. For additional terms that are specific to deploying AD FS 2.0 across organizations, see Understanding Key Concepts Before You Deploy AD FS 2.0 (https://go.microsoft.com/fwlink/?LinkId=182473) in the AD FS 2.0 Design Guide.

AD FS 2.0 term Definition

acceptance transform rules

The set of claim rules that correspond to a particular claims provider trust. These rules define what claims from the claims provider will be accepted and used later by the issuance transform rules.

AD FS configuration database

A database that stores all the configuration data that represents a single instance of AD FS 2.0 (the Federation Service). This configuration data can be stored either in the Windows Internal Database, which is included with Windows Server 2008 and Windows Server 2008 R2, or in a Microsoft SQL Server database. You can create the AD FS configuration database with the Windows Internal Database by using the AD FS 2.0 Federation Server Configuration Wizard. You can create the AD FS configuration database with SQL Server by using the Fsconfig.exe command-line tool.

attribute store

A database or directory service that contains attributes about clients. These attributes can be used to issue claims about the clients. For example, AD FS 2.0 supports the use of either AD DS or SQL Server as the attribute store for a claims provider.

claim

A statement that one subject makes about itself or another subject. For example, the statement can be about a name, identity, key, group, privilege, or capability. Claims have a provider that issues them, and they are given one or more values. They are also defined by a claim value type and, possibly, associated metadata.

claim descriptions

The list of claims that AD FS 2.0 maintains for the sake of publishing federation metadata, issuing display tokens, and assisting in the authoring of claim rules.

claim issuer

The claims provider that issued the claim.

claim name

A user-friendly name for the claim type.

claim rule

A rule that is created with a claim rule template or that is written using the claim rule language in AD FS 2.0 that defines how to generate, transform, pass through, or filter claims.

claim rule template

A template that is designed to help administrators easily select and create the most appropriate claim rules for a particular business need. Claim rule templates are used only during the claim rule creation process.

claim rule language

The language that AD FS 2.0 uses to author and process the logic in all claim rules.

claim rule set

A grouping of one or more claim rules for a given federated trust that defines how claims will be processed by the claims rule engine.

claim type

The type of statement in the claim that is made. Example claim types include FirstName and Role. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI).

claim value

The value of the statement in the claim that is made. For example, if the claim type is Role, a value might be Contributor.

claim value type

The type of value in the claim. For example, if the claim value is Contributor, the claim type value is String.

claims-aware application

A relying party software application that uses claims to manage identity and access for users.

claims provider

A Federation Service that issues claims for a particular transaction.

claims provider trust

In the AD FS 2.0 snap-in, a claims provider trust is a trust object that is created to maintain the relationship with another Federation Service that provides claims to this Federation Service.

client

The user—or the software of a user—that acts on claims that it receives from the claims provider.

custom attribute store

A Microsoft .NET Framework assembly component that was developed for extending the functionality of AD FS 2.0 attribute stores.

custom rule

A claim rule that you author using the claim rule language to express a series of complex logic conditions. You can build custom rules by typing the claim rule language syntax in the Send Claims Using a Custom Rule template.

delegation authorization rules

The set of claim transformation rules corresponding to a relying party trust that determines whether the requester is permitted to impersonate a user while still identifying the requester to the relying party.

digital identity

A set of claims that represent a subject.

federation metadata

The data format for communicating configuration information between a claims provider and a relying party to facilitate automated configuration of claims provider trusts and relying party trusts. The data format is defined in Security Assertion Markup Language (SAML) 2.0, and it is extended in WS-Federation.

federation server

A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured using the AD FS 2.0 Federation Server Configuration Wizard to act in the federation server role. A federation server issues tokens and serves as part of a Federation Service.

federation server proxy

A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured with the AD FS 2.0 Federation Server Proxy Configuration Wizard to act as an intermediary proxy service between an Internet client and a Federation Service that is located behind a firewall on a corporate network.

Federation Service

A logical instance of AD FS 2.0. A Federation Service can be deployed as a stand-alone federation server or as a load-balanced federation server farm.

identifier

A Uniform Resource Identifier (URI) that is used to identify an object. The object can be the instance of AD FS 2.0, a claims provider, or a relying party.

identity delegation

A feature in AD FS 2.0 that makes it possible for a user or computer to be authorized to act as another user or computer to a relying party.

impersonation authorization rules

The set of claim rules corresponding to a relying party trust that determines whether the requester is permitted to impersonate a user without identifying the requester to the relying party. These rules can be created only using the Windows PowerShell™ command-line interface.

input claim set

A collection of claims within the context of a given claim rule set that is available as input to subsequent claim rules within that set. Claims in this collection are discarded after the rules are processed. The rules processing engine adds the claims that each rule generates to the input claim set so that subsequent rules within a given rule set can use those claims.

issuance authorization rules

The set of claim rules corresponding to a relying party trust that determines whether the requester is permitted to receive a token.

issuance transform rules

The set of claim rules that correspond to a relying party trust that determine the claims that are issued to the relying party.

output claim set

A collection of claims within the context of a given claim rule set that will determine which claims are emitted from the list of claim rules within a rule set. If temporary claims are needed for processing, a rule can be authored in such a way that the resulting claims are added to the input claim set only.

primary federation server

A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured in the federation server role with the AD FS 2.0 Federation Server Configuration Wizard and that has a read/write copy of the AD FS configuration database. You create the primary federation server when you use the AD FS 2.0 Federation Server Configuration Wizard, select the option to create a new Federation Service, and make that computer the first federation server in a federation server farm. All other federation servers in the farm must replicate changes that are made on the primary federation server to a read-only copy of the AD FS configuration database that they store locally. The term “primary federation server” does not apply when the AD FS configuration database is stored in a SQL Server database, because all federation servers can read and write equally to the SQL Server database.

relying party

A Federation Service or application that consumes claims in a particular transaction.

relying party application

Software that can consume claims to make authentication and authorization decisions. The relying party application receives the claims from a claims provider.

relying party trust

In the AD FS 2.0 snap-in, a relying party trust is a trust object that is created to maintain the relationship with a Federation Service or application that consumes claims from this Federation Service.

rich client

A client that can use the WS-Trust protocol.

Security Assertion Markup Language (SAML) Security Token

The data format for communicating claims between a claims provider and a relying party. AD FS 2.0 uses both SAML 1.1 and SAML 2.0 formats.

Security Assertion Markup Language (SAML)

The WebSSO protocol that is defined in the SAML 2.0 Core specification. The SAML protocol specifies how to use HTTP Web browser redirects to exchange assertions data. SAML is used to authenticate and authorize users across secure boundaries.

subject

A person, organization, or thing that is described or dealt with.

trust establishment

A process by which trust relationships are established between claims providers, such as AD FS 2.0, and relying party applications. This process involves the exchange of identifying certificates that make it possible for the relying party to trust the contents of claims that the claims provider issues.

trust monitoring

A feature in AD FS 2.0 that keeps the configuration of a claims provider or relying party up to date by periodically monitoring its Federation Metadata.

Uniform Resource Locator (URL)

The address that is used to locate a Web site. URLs are text strings that must conform to the guidelines in RFC 2396.

Web browser client

A client that can use the SAML WebSSO protocol and the WS-Federation passive protocol. Also referred to as a "passive client."

Web Service Description Language (WSDL)

The data format for specifying how a Simple Object Access Protocol (SOAP) service should be called. AD FS 2.0 uses WSDL 1.1.

Windows Communication Foundation (WCF)

The Microsoft unified programming model for building service-oriented applications. Developers can use WCF to build secure, reliable, transacted solutions that integrate across platforms and interoperate with existing programs.

Windows Identity Foundation (WIF)

A framework for building identity-aware applications. The framework abstracts the WS-Trust and WS-Federation protocols and presents developers with application programming interfaces (APIs) for building security token services (STSs) and claims-aware applications. Applications can use WIF to process tokens that are issued from STSs and make identity-based decisions at the Web application or Web service.

WS-Federation

The OASIS standard specification that defines the WS-Federation Passive protocol and other protocol extensions that are used for federation.

WS-Federation Passive

The protocol for requesting claims from a claims provider by using HTTP Web browser redirects. This protocol is described in section 13 of the WS-Federation 1.2 specification.

WS-SecurityPolicy

An XML-based specification that describes the security requirements of a Web service. These security requirements include descriptions of the claims that the service requires.

WS-Trust

The SOAP protocol, which is defined by the WS-Trust specifications, for requesting claims from a claims provider. AD FS 2.0 uses both the February 2005 and 1.3 versions of the protocol.