Review the role of the federation server proxy in the resource partner organization
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
The role of the federation server proxy in the perimeter network of the resource partner is to perform account partner discovery for Internet clients and to redirect security tokens.
Account partner discovery. An Internet client must identify which account partner will authenticate it. The client finds the account partner by using an account partner discovery Web form (discoverclientrealm.aspx), which is stored on the federation server proxy in the resource partner. If more than one account partner is configured in the trust policy in the Active Directory Federation Services snap-in, a drop-down menu appears with all the available account partners that are visible to Internet clients who access the account partner discovery Web form. You can change how the account partner discovery Web form is presented to clients by customizing the discoverclientrealm.aspx file.
Redirect security tokens. The federation server proxy in the account partner sends the security tokens to the resource partner. The resource federation server proxy accepts these tokens and passes them on to the federation server in the resource partner. The resource federation server then issues a security token that is bound for a specific resource Web server. The resource federation server proxy returns the token to the client.
When it is necessary to help reduce the amount of hardware and number of required certificates, the federation server proxy can be located on the same computer as the ADFS-enabled Web server.
To summarize, a resource federation server proxy facilitates the federated logon process by redirecting clients to a federation server that can authenticate the clients. A resource federation server proxy also acts as a proxy for client security tokens to resource federation servers.