Deploying Federation Servers

Applies To: Windows Server 2008

To deploy federation servers, complete each of the tasks in Checklist: Installing a Federation Server.

Note

When you use this checklist, we recommend that you first read the references to federation server planning in the AD FS Design Guide before you begin the procedures for configuring the servers. Following the checklist in this way provides a better understanding of the design and deployment process for federation servers.

About federation servers

Federation servers are computers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter that are configured to host the Federation Service role service of Active Directory Federation Services (AD FS). Federation servers authenticate or route requests from user accounts in other organizations and from clients that can be located anywhere on the Internet.

The act of installing the Federation Service on a computer makes that computer a federation server. It also makes the Active Directory Federation Services snap-in available on that computer on the Administrative Tools menu so that you can specify the following:

  • The Federation Service endpoint URL value where partner organizations and applications will send token requests and responses

  • The Federation Service uniform resource identifier (URI) value that partner organizations and applications will use to identify the unique name or location of your organization

  • The location of the trust policy file that all federation servers that participate in the same server farm will use

  • The token-signing certificate that all federation servers in a server farm will use to issue and sign tokens

  • The location of customized ASP.NET Web pages for client logon, logoff, and account partner discovery that will enhance the client experience

Note

The majority of these core user interface (UI) settings are contained in the web.config file on each federation server. The Federation Service endpoint URL and Federation Service URI values are not specified in the web.config file.

Federation servers host a security token service (STS) that issues tokens that are based on the credentials (for example, user name and password) that are presented to it. A security token is a cryptographically signed data unit that expresses one or more claims. A claim is a statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client. After the credentials are verified on the federation server (through the user logon process), claims for the user are collected through examination of the user attributes that are stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

In Federated Web Single-Sign-On (SSO) designs (designs in which two or more organizations are involved), claims can be modified by claim mappings for a specific resource partner. The claims are built into a token that is sent to a federation server in the resource partner organization. After a federation server in the resource partner receives the claims as incoming claims, it maps them into its organization claims. The organization claims are then built into a new token that is sent to the Web server in the resource partner that hosts the AD FS Web Agent.

In the Web SSO design (where only one organization is involved), a single federation server can be used so that employees can log on once and still access multiple applications.