Deploying Partner Organizations
Updated: January 31, 2008
Applies To: Windows Server 2008
To deploy a new partner organization, complete the tasks in either Checklist: Configuring the Resource Partner Organization or Checklist: Configuring the Account Partner Organization, depending on your Active Directory Federation Services (AD FS) design.
|When you use either of these checklists, we strongly recommend that you first read the references to account partner or resource partner planning guidance (in the AD FS Design Guide) before continuing to the procedures for setting up the new partner organization. Following the checklist in this way will help provide a better understanding of the full AD FS design and deployment story for the account partner or resource partner organization.|
An account partner is the organization in the federation trust relationship that physically stores user accounts in either an Active Directory Domain Services (AD DS) store or an Active Directory Lightweight Directory Services (AD LDS) store. The account partner is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. These tokens can then be presented across a federation trust to enable access to Web-based resources that are located in the resource partner organization.
In other words, an account partner represents the organization for whose users the account-side Federation Service issues security tokens. The Federation Service in the account partner organization authenticates local users and creates security tokens that the resource partner uses in making authorization decisions.
With regard to AD DS, the account partner in AD FS is conceptually equivalent to a single AD DS forest whose accounts need access to resources that are physically located in another forest. Accounts in this forest can access resources in the resource forest only when an external trust or forest trust relationship exists between the two forests and the resources to which the users are trying to gain access have been set with the proper authorization permissions.
The resource partner is the organization in an AD FS deployment where AD FS-enabled Web servers are located. The resource partner trusts the account partner to authenticate users. Therefore, to make authorization decisions, the resource partner consumes the claims that are packaged in security tokens coming from users in the account partner.
In other words, a resource partner represents the organization whose Web servers are protected by the resource-side Federation Service. The Federation Service at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for Web servers in the resource partner.
To function as an AD FS resource, Web servers in the resource partner organization must have one of the AD FS Web Agent role services installed. Web servers that function as an AD FS resource can host either claims-aware applications or Windows NT token–based applications. For more information about the two types of applications, see Identify the Type of Federated Application to Deploy.