Provide federated access for your employees on the corporate network
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
When you are the account partner administrator and you have a deployment goal to provide federated access for employees on the corporate network:
Employees who are logged on to an Active Directory forest in the corporate network can use single sign-on (SSO) to access multiple applications, which are secured by Active Directory Federation Services (ADFS), when the applications are in a different organization. For more information, see Federated Web SSO design.
For example, A. Datum Corporation may want corporate network employees to have federated access to applications that are hosted in Trey Research.
Employees who are logged on to an Active Directory forest in the corporate network can use SSO to access multiple applications, which are secured by ADFS, in the perimeter network in your own organization. For more information, see Federated Web SSO with Forest Trust design.
For example, A. Datum Corporation may want corporate network employees to have federated access to applications that are hosted in the A. Datum Corporation perimeter network.
Information in the Active Directory account store can be populated into the employees' ADFS tokens.
The following components are required for this deployment goal:
Active Directory: Active Directory contains the employees' user accounts that are used to generate ADFS tokens. Information, such as groups and attributes, is populated into ADFS tokens as group claims and custom claims. For more information about Active Directory, see Appendix B: Reviewing Key ADFS Concepts.
Note Active Directory Application Mode (ADAM) may also be used to contain the identities are used to generate ADFS tokens. However, ADAM is typically used for this purpose to host customer accounts on the perimeter network.
Corporate DNS: This implementation of Domain Name System (DNS) contains a simple address (A) resource record so that intranet clients can locate the account federation server. It may host other DNS records that are also required in the corporate network. For more information, see Name resolution requirements for federation servers.
Account federation server: The account federation server is joined to a domain in the account partner forest. It authenticates employee user accounts and generates ADFS tokens. The client computer for the employee performs Windows Integrated authentication against the account federation server to generate an ADFS token. For more information, see Review the role of the federation server in the account partner organization.
The following users can be authenticated by the account federation server:
Employees with user accounts in this domain
Employees with user accounts anywhere in this forest
Employees with user accounts anywhere in forests that are trusted by this forest (through a Windows trust)
- Employees with user accounts in this domain
Employee: An employee accesses an ADFS-secured Web application through a supported Web browser while he or she is logged on to the corporate network. The employee's client computer on the corporate network communicates directly with the federation server for authentication.
The following illustration shows each of the required components for this ADFS deployment goal.