Federated Web SSO with Forest Trust design
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
The Federated Web Single-Sign-On (SSO) with Forest Trust design in Active Directory Federation Services (ADFS) combines two Active Directory forests in a single organization, as shown in the following illustration.
Typically, you use this design when you want to provide employees on the corporate network and remote employees with federated access to ADFS-secured applications in the perimeter network, while using each employee's standard corporate domain credentials.
The one-way federation trust arrow in the illustration signifies the direction of the trust, which—like the direction of Windows trusts—always points to the account side of the forest. This means that authentication flows from the corporate network to the perimeter network.
Because a forest trust exists between the perimeter network and the corporate network, employee user accounts that are in the corporate network may be used to access the application, which eliminates the need for resource accounts or resource groups. A Windows NT token–based application requires that a user or group exists so that the ADFS token can be mapped into it. However, using Active Directory in the corporate network enables you to deploy the application without user accounts in the perimeter network.
|If a trust is not in place between the corporate network and the perimeter network and the application in the perimeter network is a Windows NT token–based application, resource accounts or groups must exist in the perimeter network.|
In this design, the single A. Datum Corporation organization combines the following ADFS deployment goals:
Provide federated access for your employees on the corporate network
Provide federated access for your remote employees on the Internet
Provide federated access for your hosted applications
To learn more about the flow of ADFS communications in this design, see Federated Web SSO with Forest Trust example.
For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO with Forest Trust design, see Checklist: Implementing a Federated Web SSO with Forest Trust Design.