Checklist: Configuring the Account Partner Organization

The account partner organization contains the users that will access Web-based applications in the resource partner. Administrators in this organization must use the AD FS Management snap-in to create relying party trusts to represent their trust relationships with resource partner organizations. In turn, the resource partner administrator must create claims provider trusts for each account partner organization that they want to trust.

This checklist includes tasks for deploying Active Directory Federation Services (AD FS) in the account partner organization. It also includes tasks for configuring the components that are required to establish one-half of a federation partnership.

If you are deploying a Web SSO Design, you do not have to follow this checklist. However, you do have to complete the tasks in this checklist to successfully deploy a Federated Web SSO Design.

Important

Make sure that the administrator in the resource partner organization follows the guidance in Checklist: Configuring the Resource Partner Organization to ensure that all necessary deployment tasks will be completed to successfully create the second half of the federation partnership.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Check mark icon, Configure the account partner organization.Checklist: Configuring the account partner organization

Task Reference
If you have an existing AD FS 1.0 or 1.1 deployment in your production environment today, see the link to the right for information about how to migrate settings from your current Federation Service to a new AD FS Federation Service. If you are deploying AD FS for the first time in your organization using AD FS, you can skip this step and continue to the next task in this checklist for information about how to set up a new account partner organization. Icon, Plan to migrate to AD FS 2.0.Planning a Migration to AD FS 2.0
Based on your deployment goals, review information about the components that are required to provide users with access to the federated applications. Icon, Provide your AD users access to your claims-aware applications.Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services

Icon, Provide your AD users access to applications and services.Provide Your Active Directory Users Access to the Applications and Services of Other Organizations

Icon, Provide users in another organization acces to your claims-aware applications and services.Provide Users in Another Organization Access to Your Claims-Aware Applications and Services

Determine which AD FS design this account partner organization will be associated with. Icon, Web SSO design.Web SSO Design

Icon, Federated Web SSO design.Federated Web SSO Design

Before you begin deploying your AD FS servers, review the; 1.) advantages and disadvantages of choosing either Windows Internal Database (WID) or SQL Server to store the AD FS configuration database 2.) AD FS deployment topology types and their associated server placement and network layout recommendations. Icon, Determine your AD FS deployment topology.Determine Your AD FS Deployment Topology

Icon, AD FS deployment topology considerations.AD FS Deployment Topology Considerations

Review AD FS capacity planning guidance to determine the proper number of federation server and federation server proxy servers you should use in your production environment. Icon, Plan for AD FS server capacity.Planning for AD FS Server Capacity
To effectively plan and implement the physical topology for the account partner deployment, determine whether your AD FS design requires one or more federation servers or federation server proxies. Icon, Set up a Federation server.Checklist: Setting Up a Federation Server

Icon, Set up a Federation server proxy.Checklist: Setting Up a Federation Server Proxy

Determine the type of attribute store that you want to add to AD FS. Then, add the attribute store using the AD FS Management snap-in. Icon, The role of attribute stores.The Role of Attribute Stores

Icon, Add an attribute store.Add an Attribute Store

If you will need to send claims to or consume claims from a resource partner who is using either an AD FS 1.0 or 1.1 Federation Service, see the link to the right for information about how to configure AD FS to interoperate with previous versions of AD FS. If the resource partner organization is also using AD FS to send or consume claims to your organization, you can skip this step and continue with the next task in this checklist. Icon, Plan for interoperability with AD FS 1.x.Planning for Interoperability with AD FS 1.x
After you deploy the first federation server in the account partner organization, create a relying party trust relationship using the AD FS Management snap-in. You can create a relying party trust by entering data about a resource partner manually or by using a federation metadata URL that the administrator of the resource partner organization provides to you. You can use the federation metadata to retrieve the data for the resource partner automatically. Note: If the resource partner publishes its federation metadata or can provide a file copy of it for you to use, we recommend that you retrieve the data automatically because it can save time. Icon, Manually create a relying party trust.Create a Relying Party Trust Manually

Icon, Create a relying party trust using Federation metadata.Create a Relying Party Trust Using Federation Metadata

Depending on the needs of your organization, create one or more claim rule sets for each relying party trust that is specified in the AD FS Management snap-in so that claims will be issued appropriately. Icon, Create claim rules for a relying party trust.Checklist: Creating Claim Rules for a Relying Party Trust
A claim description must be created if one does not already exist that will fulfill the needs of your organization. AD FS ships with a default set of claim descriptions that are exposed in the AD FS Management snap-in. Icon, Add a claim description.Add a Claim Description
Determine whether your organization will need to use identity delegation to authorize or constrain a specified account to "act as" or impersonate other users. This is often a requirement when front-end Web applications must interact with back-end Web services. Icon, Use identity delegation.When to Use Identity Delegation
Prepare client computers for federation by:

- Adding the URL for the account partner federation server to the trusted sites list for the client browser.
- Using Group Policy to push the appropriate Secure Sockets Layer (SSL) certificates to client computers.

Icon, Prepare client computers in the account partner.Prepare Client Computers in the Account Partner

Icon, Configure client computers to trust the account Federation server.Configure Client Computers to Trust the Account Federation Server

configure account partner orgDistribute Certificates to Client Computers by Using Group Policy