Planning Partner Organization Deployments

Applies To: Windows Server 2008

When you plan for cross-organizational (federation-based) collaboration using Active Directory Federation Services (AD FS), you first determine if your organization will host a Web resource to be accessed by other organizations across the Internet or if you will provide access to the Web resource for employees in your organization. This determination affects how you deploy AD FS, and it is fundamental in the planning of your AD FS infrastructure.

Note

Make sure that the role that your organization plays in the federation agreement is clearly understood by all parties.

For the federation designs Federated Web SSO Design and Federated Web SSO with Forest Trust Design, AD FS uses terms such as "account partner" and "resource partner" to help differentiate the organization that hosts the accounts (the account partner) from the organization that hosts the Web-based resources (the resource partner).

"Account partner" and "resource partner" terminology is not applicable in the Web SSO Design because one federation server acts in both the account partner role and the resource partner role, and there is no identification of two distinct partners in the Federation Service.

The following sections explain some of the AD FS partner organization concepts. They also contain links to topics in the Active Directory Federation Services Deployment Guide that contain information about setting up and configuring account partners and resource partners based on your AD FS deployment goals.

Planning the account partner deployment

An account partner represents the organization in the federation trust relationship that physically stores user accounts in either an Active Directory Domain Services (AD DS) store or an Active Directory Lightweight Directory Services (AD LDS) store. The Federation Service in the account partner organization authenticates local users and creates security tokens that are used by the resource partner in making authorization decisions.

In scenarios in which you need to provide your users with access to multiple federated applications—when each application is hosted by a different organization—you can configure the account Federation Service so that you can deploy multiple resource partners.

For more information about how to set up and configure an account partner organization, see Checklist: Configuring the Account Partner Organization.

Planning the resource partner deployment

The resource partner organization represents the organization whose AD FS-enabled Web servers are protected by the resource-side Federation Service. The Federation Service at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for AD FS-enabled Web servers that are located in the resource partner.

In scenarios in which you need to provide access to federated applications to many different users—when some users reside in different organizations—you can configure the resource Federation Service so that you can deploy multiple account partners.

For more information about how to set up and configure a resource partner in the account Federation Service, see Checklist: Configuring the Resource Partner Organization.