AD FS Deployment Guide
Updated: January 31, 2008
Applies To: Windows Server 2008
You can use Active Directory® Federation Services (AD FS) in the Windows Server® 2008 operating system to build a federated identity management solution that can extend distributed identification, authentication, and authorization services to Web-based applications across organizational and platform boundaries. By deploying AD FS, you can extend your organization’s existing identity management capabilities to the Internet. You can deploy AD FS to:
Provide your employees or customers with a Web-based, single-sign-on (SSO) experience when they need remote access to internally hosted Web sites.
Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites from within the firewalls of your network.
Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once.
Retain complete control over your employee or customer identities without using other sign-on providers (Microsoft® Windows Live ID, Liberty Alliance, and others).
After you deploy AD FS, you can use it as your organization's optimal SSO solution.
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying an AD FS design that has been preselected by you or an infrastructure specialist or system architect in your organization.
If a design has not yet been selected, we recommend that you wait to follow the instructions in this guide until after you have reviewed the various design options in the AD FS Design Guide and you have selected the most appropriate design for your organization. For more information about using this guide with a design that has already been selected, see Implementing Your AD FS Design Plan.
After you select your design and you use the worksheets in the design guide to gather the required information about claims, token types, account stores, and other items, you can then use this guide to deploy your AD FS design in your production environment. This guide provides steps for deploying any of the following primary AD FS designs:
Federated Web SSO
Federated Web SSO with Forest Trust
Use the checklists in Implementing Your AD FS Design Plan to determine how best to use the instructions in this guide to deploy your particular design. For information about hardware and software requirements for deploying AD FS, see Appendix A: Reviewing AD FS Requirements in the AD FS Design Guide.
This guide does not provide:
Guidance regarding when and where to place federation servers, federation server proxies, or Web servers in your existing network infrastructure. For this information, see Planning Federation Server Placement, Planning Federation Server Proxy Placement, and Planning AD FS-Enabled Web Server Placement in the AD FS Design Guide.
Guidance for using certification authorities (CAs) to set up AD FS.
Guidance for setting up or configuring specific Web-based applications.
Setup instructions that are specific to setting up a test lab environment. For more information about how to configure an AD FS test lab environment, see the Step-by-Step Guide for AD FS in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=108136).
Information about how to customize federated logon screens, web.config files, or trust policy files.
Information about how to modify or remove AD FS settings on specific servers or in the trust policy. For this information, see the AD FS Operations Guide (http://go.microsoft.com/fwlink/?linkid=78683).
AD FS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless SSO access to protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.
When an application is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application. These secondary credentials represent the user's identity in the realm where the application resides. They are usually required by the Web server that hosts the application so that it can make the most appropriate authorization decision.
With AD FS, organizations can bypass requests for secondary credentials by providing trust relationships (federation trusts) that these organizations can use to project a user's digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.
For more general information about AD FS, see Active Directory Federation Services Overview (http://go.microsoft.com/fwlink/?LinkID=95311).