The Role of Attribute Stores

Applies To: Active Directory Federation Services (AD FS) 2.0

Active Directory Federation Services (AD FS) 2.0 uses the term “attribute stores” to refer to directories or databases that an organization uses to store its user accounts and their associated attribute values. After it is configured in an identity provider organization, AD FS 2.0 retrieves these attribute values from the store and creates claims based on that information so that a Web application or service that is hosted in a relying party organization can make the appropriate authorization decisions whenever a federated user (a user whose account is stored in the identity provider organization) attempts to access the application or service.

For more information about how claims are generated, see The Role of Claims.

How attribute stores fit in with your AD FS 2.0 deployment goals

The location of the user attribute store and the location from which users authenticate determine how you design AD FS 2.0 to support the user identities. Depending on where the attribute store is located and where users will access the application (in an intranet or on the Internet), you can use one of the following deployment goals:

Depending on attribute store placement and other requirements of your organization, you can combine several of these deployment goals to complete the design of your AD FS 2.0 deployment.

Attribute stores that are supported by AD FS 2.0

AD FS 2.0 supports a wide range of directory and database stores that you can use for extracting administrator-defined attribute values and populating claims with those values. AD FS 2.0 supports any of the following directories or databases as attribute stores:

  • Active Directory in Windows Server 2003 and Active Directory Domain Services (AD DS) in Windows Server 2008

  • All editions of Microsoft SQL Server 2005 and SQL Server 2008

  • Custom attribute stores