Scenario Overview

Article
07/02/2012

Applies To: Active Directory Federation Services (AD FS) 2.0

Scenario overview

This section includes background information about the fictional companies in this document. It also identifies their business goals and briefly describes the technologies that are used to achieve these goals.

About the fictional companies

The following fictional companies and their business needs are used in this guide:

Contoso Pharmaceuticals: An international pharmaceutical supply company that specializes in manufacturing prescription drugs for its health management organization (HMOs) customers inside and outside the United States. In a strategic effort to meet the drug-ordering demands of its customers, the IT department at Contoso has been given the task of developing and deploying a secure, Internet-accessible, SharePoint application that must also provide multiple levels of access for various internal users (Contoso employees) and external partner users at Fabrikam. To minimize the costs that are associated with maintaining the SharePoint application, the IT department must also make sure that the application does not have to use and maintain an additional account store so that internal and external users can access the application.
Fabrikam: A manufacturer of cost-efficient, wholesale pharmaceutical and chemical manufacturing supplies that is known worldwide for providing low-price supplies to drug manufacturers. Although sales have been accelerating consistently year after year for this company, there is a noticeable increase in errors in the inventory that has caused returns, reshipments, or adjustments to their key business partners such as Contoso. So that Fabrikam can maintain its strong partnership and achieve its goals for a high level of service with Contoso, Fabrikam decides to partner closely with Contoso for the purpose of completing an upcoming drug trial audit process for a new medication that Contoso currently has under development. To accomplish this goal, some Fabrikam employees need varying levels of access to the SharePoint site at Contoso.

About the lab configuration

To facilitate the partnership between the two companies and to enable managed, claims-based access (CBA) to the SharePoint site, the following federation configuration is used.

About the fictional employees

The fictional employees in the following table are used throughout the scenario in this document. You will log on to the test lab virtual machines to simulate the various federated identity and claims-based access scenarios in this guide and test different levels of access to the SharePoint application.

Employee	Role	Company
Daniel Weisman	Drug Trial Administrator	Contoso Pharmaceuticals
Frank Miller	Drug Trial Process Auditor	Fabrikam Suppliers

About the scenario

For this scenario, Microsoft Office SharePoint Server 2007 is the application of choice to facilitate the business partnership between the two companies, Contoso Pharmaceuticals and Fabrikam Suppliers. For SharePoint site access, Microsoft Office SharePoint Server 2007 requires roles and or user’s user names so that it can grant access to its resources. In many enterprise SharePoint deployments today, customers such as Contoso and Fabrikam use Active Directory or Active Directory Domain Services (AD DS) to obtain the role and user information that is necessary to manage and authorize access to the SharePoint Web site. In this scenario, we are going to configure Microsoft Office SharePoint Server 2007 to obtain the role and user information from AD FS 2.0 instead of from Active Directory data for authorization purposes.

Next, we will use AD FS 2.0 in the Contoso domain to control which roles are sent to Microsoft Office SharePoint Server. We will also configure a second AD FS 2.0 instance in the Fabrikam domain, to establish a federated trust relationship between the Fabrikam and Contoso domains. After this trust is established across the domains, we will also configure AD FS 2.0 in the Contoso domain to use an alternative external database as the source of the role information that it uses for SharePoint authorization. For this part of the scenario demonstration, the database that we use will be a Microsoft SQL Server® database.

The following tables briefly describe each step in this scenario, identify the user experience at that step in the scenario, and provide a link to the location in this guide for the instructions for completing that step. The entire guide includes eight steps.

Using AD FS 2.0 to provide role and user access to the SharePoint site

In steps 1 through 4, we configure Microsoft Office SharePoint Server 2007 to use AD FS 2.0 instead of Active Directory or AD DS for obtaining role and user information. In addition, we configure AD FS 2.0 in the Contoso domain to issue role and user information to the SharePoint site.

Steps	Step title	Description
Step 1	Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso federation server	For Contoso Pharmaceuticals, this step demonstrates: The IT pro experience for configuring Microsoft Office SharePoint Server 2007 to use AD FS 2.0 as a centralized authentication provider.
Step 2	Add the Domain Admins group as Administrator for the SharePoint site	For Contoso Pharmaceuticals, this step demonstrates: The IT pro experience of giving access to the SharePoint site based on the role information that AD FS 2.0 provides.
Step 3	Configure the Contoso federation server to issue tokens to the SharePoint site	For Contoso Pharmaceuticals, this step demonstrates: The IT pro experience that is necessary to add a new relying party (the SharePoint site) to an existing AD FS 2.0 deployment and to issue tokens with specific claims in it.
Step 4	Add new roles to the SharePoint site	For Contoso Pharmaceuticals, this step demonstrates: The IT pro experience of giving access to a SharePoint site by using claims that AD FS 2.0 issues.

Establishing a federated trust between two companies by using AD FS 2.0

In steps 5 through 7, we configure AD FS 2.0 to establish a federated trust relationship between the two companies. We also configure AD FS 2.0 to determine which roles are sent to the SharePoint server. After configuring these updates, we will then verify the authorization changes for both administrators and visitors to the site.

Steps	Step title	Description
Step 5	Configure the Contoso federation server to accept tokens from the Fabrikam federation server	For Contoso Pharmaceuticals, this step demonstrates: The IT pro experience of configuring a federation server at Contoso to establish one side of the federated trust by enabling it to accept tokens from a partner federation server at Fabrikam.
Step 6	Configure Fabrikam to federate and issue tokens to Contoso	For Fabrikam Suppliers, this step demonstrates: The IT pro experience of configuring a federation server at Fabrikam to establish the other side of the federated trust by enabling it to issue tokens to a partner server at Contoso.
Step 7	Access the SharePoint site	This step demonstrates: The client-side experience when a user tries to access a federated resource from a Web browser or a rich client application, such as Microsoft Office Word.

Step 5

Configure the Contoso federation server to accept tokens from the Fabrikam federation server

For Contoso Pharmaceuticals, this step demonstrates:

The IT pro experience of configuring a federation server at Contoso to establish one side of the federated trust by enabling it to accept tokens from a partner federation server at Fabrikam.

Step 6

Configure Fabrikam to federate and issue tokens to Contoso

For Fabrikam Suppliers, this step demonstrates:

The IT pro experience of configuring a federation server at Fabrikam to establish the other side of the federated trust by enabling it to issue tokens to a partner server at Contoso.

Step 7

Access the SharePoint site

This step demonstrates:

The client-side experience when a user tries to access a federated resource from a Web browser or a rich client application, such as Microsoft Office Word.

Using a SQL Server database as an alternative to using Active Directory or AD DS as a data store

In the next step, step 8, we reconfigure AD FS 2.0 to use a Microsoft SQL Server database as an alternate data store to the Active Directory data store that we used in the previous configurations.

Steps	Step title	Description
Step 8	Configure the Contoso federation server to get role values from a Structured Query Language (SQL) data store	For Contoso Pharmaceuticals, this scenario demonstrates: The IT pro experience for providing claims-based identity to users in which the values of the claims come from a SQL Server data store instead of an Active Directory database.

Step 8

Configure the Contoso federation server to get role values from a Structured Query Language (SQL) data store

For Contoso Pharmaceuticals, this scenario demonstrates:

The IT pro experience for providing claims-based identity to users in which the values of the claims come from a SQL Server data store instead of an Active Directory database.

Protecting documents and libraries using Active Directory Rights Management Services

In the next step, step 9, we reconfigure AD FS 2.0 and the SharePoint site to use Active Directory Rights Management Services (AD RMS) for digital rights management of documents. In step 10, we configure a second document library that requires stronger authentication type to access.

Steps	Step title	Description
Step 9	Configure AD RMS for digitally protecting documents	For Contoso Pharmaceuticals, this scenario demonstrates: The IT pro experience for configuring AD RMS to use the ADFS Web agent and AD FS 2.0 for federated identity support. For Fabrikam, this scenario demonstrates: The client computer modifications to enable the federated support for AD RMS and the end user experience of opening and browsing protected documents.
Step 10	Configure a SharePoint document library that requires stronger authentication	For Contoso Pharmaceuticals, this scenario demonstrates: Creation of a new document library. Modification of the web.config file of the site so that it requires a stronger set of credentials to access the library.
Step 11	Configure AD FS 2.0 to permit only specific users	For Contoso Pharmaceuticals, this scenario demonstrates: Creation of rules in AD FS 2.0 so that only users in a specific rule get a token for the SharePoint server and others are denied.

Step 9

Configure AD RMS for digitally protecting documents

For Contoso Pharmaceuticals, this scenario demonstrates:

The IT pro experience for configuring AD RMS to use the ADFS Web agent and AD FS 2.0 for federated identity support.

For Fabrikam, this scenario demonstrates:

The client computer modifications to enable the federated support for AD RMS and the end user experience of opening and browsing protected documents.

Step 10

Configure a SharePoint document library that requires stronger authentication

For Contoso Pharmaceuticals, this scenario demonstrates:

Creation of a new document library.

Modification of the web.config file of the site so that it requires a stronger set of credentials to access the library.

Step 11

Configure AD FS 2.0 to permit only specific users

For Contoso Pharmaceuticals, this scenario demonstrates:

Creation of rules in AD FS 2.0 so that only users in a specific rule get a token for the SharePoint server and others are denied.

Scenario Overview