Deploying Federation Servers
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
To deploy federation servers, complete each of the tasks in Checklist: Installing a federation server.
|When you use this checklist, we strongly recommend that you first read the references to federation server planning guidance (in the ADFS Design Guide) before continuing to the procedures for configuring the servers. Following the checklist in this way will help provide a better understanding of the full design and deployment story for federation servers.|
About federation servers
Federation servers are computers running Windows Server 2003 R2, Enterprise Edition, or Windows Server 2003 R2, Datacenter Edition, that are configured to host the Federation Service component of Active Directory Federation Services (ADFS). Federation servers 'authenticate' or route requests from user accounts in other organizations and from clients that can be located anywhere on the Internet.
The act of installing the Federation Service on a computer makes that computer a federation server. It also makes the Active Directory Federation Services snap-in available on that computer on the Administrative Tools menu so that you can specify the following:
The Federation Service endpoint Uniform Resource Locator (URL) value where partner organizations and applications will send token requests and responses
The Federation Service Uniform Resource Identifier (URI) value that partner organizations and applications will use to identify the unique name or location of your organization
The location of the trust policy file that all federation servers that participate in the same server farm will use
The token-signing certificate that all federation servers in a server farm will use to issue and sign tokens
The location of customized ASP.NET Web pages for client logon, logoff, and account partner discovery that will enhance the client experience
Note The majority of these core user interface (UI) settings are contained in the web.config file on each federation server. The Federation Service endpoint URL and Federation Service URI values are not specified in the web.config file.
Federation servers host a security token service that issues tokens that are based on the credentials (for example, user name and password) that are presented to it. A security token is a cryptographically signed data unit that expresses one or more claims. A claim is a statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client. After the credentials are verified on the federation server (through the user logon process), claims for the user are collected through examination of the user attributes that are stored in Active Directory or Active Directory Application Mode (ADAM).
In Federated Web Single Sign-On (SSO) designs (designs in which two or more organizations are involved), claims can be modified by claim mappings for a specific resource partner. The claims are built into a token that is sent to a federation server in the resource partner organization. After a federation server in the resource partner receives the claims as incoming claims, it maps them into its organization claims. The organization claims are then built into a new token that is sent to the Web server in the resource partner that hosts the ADFS Web Agent.
In the Web SSO design (where only one organization is involved), a single federation server can be used so that employees can log on once and still access multiple applications.