Web SSO example

Applies To: Windows Server 2003 R2

In this example, the fictitious company Adventure Works is an online retailer. The company sells products directly to customers over the Internet. The perimeter network hosts the Purchasing application and the Customer Service Web application, which are both claims-aware applications. Internet customer accounts and passwords are managed in Active Directory Application Mode (ADAM).

Message flow for customer remote access

The ADFS-enabled Web server that hosts the Purchasing and Customer Service applications is located in the perimeter network forest. Customers perform Active Directory Federation Services (ADFS) authentication for these applications by using the resource federation server for the ADFS-enabled Web server.

Client application request

The following illustration and corresponding steps provide a detailed description of the client application request process in ADFS using Transport Layer Security / Secure Sockets Layer (TLS/SSL).

Art Image

  1. The customer uses her Web browser to open the application on the ADFS-enabled Web server.

  2. The ADFS-enabled Web server refuses the request because there is no ADFS authentication cookie, and the ADFS-enabled Web server redirects the client browser to the logon Web page on the resource federation server.

  3. The client browser requests the logon Web page from the resource federation server.

  4. The resource federation server redirects the client browser to its logon Web page.

Authenticating the user

The following illustration and corresponding steps continue to describe the client application request process in the previous section. Unless it is otherwise noted, all traffic uses TLS/SSL.

Art Image

  1. The Web page of the resource federation server prompts the client for user credentials.

  2. The resource federation server does the following:

    • Validates the client's user credentials and retrieves attributes from ADAM using Lightweight Directory Access Protocol (LDAP).

    • Builds the security token for the ADFS-enabled Web server application.

    • Builds the ADFS authentication cookie.

  3. The resource federation server redirects the Web browser to send the POST request to the ADFS-enabled Web server:

    • POST with security token in body and Java script to activate.

    • The ADFS authentication cookie is written to the Web browser.

  4. The Web browser sends the POST request to the ADFS-enabled Web server.

  5. The ADFS-enabled Web server redirects the Web browser to the Uniform Resource Locator (URL) of the application:

    • The ADFS-enabled Web server validates the security token.

    • Builds the new ADFS authentication cookie.

    • The ADFS authentication cookie is written to the Web browser.

  6. The Web browser requests the original application URL from the ADFS-enabled Web server with the ADFS authentication cookie.

  7. The application authorizes the user’s request, based on attributes from the security token.

The client browser requests additional application URLs from the ADFS-enabled Web server with its ADFS authentication cookie that is created by the Web server.