Export (0) Print
Expand All

Federated Web SSO design

Updated: December 15, 2006

Applies To: Windows Server 2003 R2

The Federated Web Single-Sign-On (SSO) design in Active Directory Federation Services (ADFS) involves secure communication that spans multiple firewalls, perimeter networks, and name resolution servers—in addition to the entire Internet routing infrastructure.

Typically, this design is used when two organizations agree to create a federation trust relationship to allow users in one organization (the account partner organization) to access Web-based applications, which are secured by ADFS, in the other organization (the resource partner organization).

In other words, a federation trust relationship is the embodiment of a business-level agreement or partnership between two organizations. As shown in the following illustration, you can establish a federation trust relationship between two businesses, which results in an end-to-end federation scenario.

Federated Web SSO (B2B) design

The one-way arrow in the illustration signifies the direction of the federation trust, which—like the direction of Windows trusts—always points to the account side of the forest. This means that authentication flows from the account partner organization to the resource partner organization.

In this Federated Web SSO design, two federation servers (one in A. Datum Corporation and the other in Trey Research) route authentication requests from user accounts in A. Datum Corporation to Web-based applications in Trey Research.

For additional security, you can use federation server proxies to relay requests to federation servers that are not directly accessible from the Internet.

In this example, A. Datum Corporation is the identity or account provider. The A. Datum Corporation portion of the Federated Web SSO design combines the following ADFS deployment goals:

Trey Research is the resource provider. The Trey Research portion of the Federated Web SSO design achieves the following ADFS deployment goal:

To learn more about the flow of ADFS communications in this design, see Federated Web SSO example.

For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO design, see Checklist: Implementing a Federated Web SSO Design.

Community Additions

© 2016 Microsoft