Checklist: Configuring the account partner organization

  • Article

Applies To: Windows Server 2003 R2

This checklist includes tasks for deploying Active Directory Federation Services (ADFS) in the account partner organization. It also includes tasks for configuring the components that are required to establish one-half of a federation partnership.

If you are deploying a Web SSO design, you do not have to follow this checklist. However, you do have to complete the tasks in this checklist to successfully deploy a Federated Web SSO design or Federated Web SSO with Forest Trust design.

Important

Make sure that the administrator in the resource partner organization follows the guidance in Checklist: Configuring the resource partner organization to ensure that all necessary deployment tasks will be completed to successfully create the second half of the federation partnership.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

ChecklistChecklist: Configuring the account partner organization

  Task Reference
Checkbox

Based on your deployment goals, review information about the components that are required to provide users with access to the federated applications that you host in your organization.

Conceptual topicProvide federated access for your employees on the corporate network

Conceptual topicProvide federated access for your remote employees on the Internet

Conceptual topicProvide single-sign-on access for customers to your hosted applications
Checkbox

Determine which ADFS design this account partner organization will be associated with.

Conceptual topicWeb SSO design

Conceptual topicFederated Web SSO design

Conceptual topicFederated Web SSO with Forest Trust design
Checkbox

To effectively plan and implement the physical topology for the account partner deployment, determine whether your ADFS design requires one or more federation servers or federation server proxies.

Checklist topicChecklist: Installing a federation server

Checklist topicChecklist: Installing a federation server proxy
Checkbox

After you deploy the first federation server in the account partner organization, configure the trust policy. You can do this manually or through a policy file that is provided to you by the administrator of the resource partner organization.

Procedure topicAdd a new resource partner by manually configuring the trust policy

Procedure topicAdd a new resource partner by importing an existing policy file
Checkbox

Determine whether you want to implement privacy settings on resource partners in the Federation Service. When you enable enhanced identity privacy settings you remove sensitive data from claims that are sent to the resource partner organization.

Conceptual topicReview how ADFS may affect privacy

Procedure topicEnable enhanced identity privacy
Checkbox

If you are deploying the Federation Web Single-Sign-On (SSO) with Forest Trust design, configure the Federation Service for Windows trust.

Conceptual topicWhen to enable Windows trusts

Procedure topicConfigure a resource partner to use Windows trust
Checkbox

Incoming claims must be associated with organization group claims or custom claims in the Federation Service.

Procedure topicCreate an organization group or custom claim
Checkbox

Create outgoing claim mappings for each resource partner in the Federation Service so that organizational claims will be transmitted to resource partners.

Procedure topicCreate an outgoing group or custom claim mapping
Checkbox

Determine the type of account store that you need to add to the Federation Service. Then, create the appropriate group or custom claim extraction to map an organization claim to an Active Directory group or user account.

Procedure topicAdd an Active Directory account store

Procedure topicAdd an ADAM account store

Procedure topicMap an organization group claim to an Active Directory group (group claim extraction)

Procedure topicMap an organization group claim to an ADAM attribute and value (group claim extraction)

Procedure topicMap an organization custom claim to an Active Directory or ADAM user attribute (custom claim extraction)
Checkbox

Prepare client computers for federation by:

  • Adding the Uniform Resource Locator (URL) for the account federation server to the trusted sites list for the client browser.

  • Using Group Policy to push the appropriate Secure Sockets Layer (SSL) certificates to client computers.

Conceptual topicPrepare client computers for federation

Procedure topicConfigure client computers to trust the account federation server

Procedure topicDistribute certificates to client computers using Group Policy