Active Directory Federation Services Overview

The AD FS server role provides simplified, secured identity federation and Web single sign-on (SSO) capabilities. AD FS includes a Federation Service role service that enables browser-based Web SSO, a Federation Service Proxy role service to customize the client access experience and protect internal resources, and Web Agent role services used to provide federated users with access to internally hosted applications.

AD FS simplifies end-user access to systems and applications by using a claims-based access authorization mechanism to maintain application security. You can deploy AD FS to:

• Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once.
  
  
• Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others).
  
  
• Provide your employees or customers with a Web-based, SSO experience when they need remote access to internally hosted Web sites or services.
  
  
• Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites or services from within the firewalls of your network.
  
  

For Windows Server 2012, the AD FS server role includes the same functionality and feature set that is available in AD FS 2.0. It also includes the following list of new functionality that was not available in AD FS 2.0:

• Integration with Dynamic Access Control scenarios - AD FS can be used with the user and device claims that are issued using Active Directory Domain Services (AD DS) in Windows Server 2012 for various Dynamic Access Control scenarios. This integration enables AD FS to consume AD DS claims that are included in Kerberos tickets as a result of domain authentication. For more information about using claims from Kerberos tickets, see Using AD DS Claims with AD FS.
  
  
• Improved installation experience using Server Manager – With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure. However, in Windows Server 2012 you install the AD FS server role using Server Manager. Server Manager provides improved AD FS configuration wizard pages that perform server validation checks before you continue with the AD FS server role installation and will automatically list and install all the services that AD FS depends on during the AD FS server role installation. These services include Microsoft ASP.NET and other services that are part of the Web Server (IIS) server role.
  
  
• Additional Windows PowerShell cmdlet tools - In addition to the Windows PowerShell based management capabilities provided in AD FS 2.0, AD FS in Windows Server 2012 includes new cmdlets for installing the AD FS server role and for initial configuration of the federation server and federation server proxy.
  
  

The installation of AD FS role services can be performed using Server Manager. Depending on your organization's business needs, you can install any of the following AD FS role services:

After you install AD FS, you can use the AD FS Management snap-in to manage both the Federation Service and Federation Service Proxy role services. To manage the AD FS Windows Token-Based Agent role service, you can use the Internet Information Services (IIS) Manager snap-in (under Sites\Default Web Site\adfs).