ADFS Design Guide

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) in the Microsoft® Windows Server® 2003 R2 operating system helps administrators meet federated identity management challenges. It does this by making it possible for organizations to securely share a user's identity information within an organization and across federated organizations—without creating and maintaining external trusts or forest trusts between those organizations. With ADFS, an administrator in an organization can control resources that users in that organization can access—both within that organization and at partner organizations. An administrator can also use ADFS to configure resources that users in other organizations can access. ADFS provides users with a Web-based, single-sign-on (SSO) experience when they access extranet Web sites or sites on the Internet that are accessible through federation partnerships.

For more information about how ADFS works and how to set up ADFS in a test lab, see the following resources:

About this guide

This guide provides recommendations to help you plan a new deployment of ADFS, based on the requirements of your organization and the particular design that you want to create. This guide is intended for use by an infrastructure specialist or system architect. It highlights your main decision points as you plan your ADFS deployment. Before you read this guide, you should have a good understanding of how ADFS works on a functional level. You should also have a good understanding of the organizational requirements that will be reflected in your ADFS design.

This guide describes a set of deployment goals that are based on three primary ADFS designs, and the guide helps you decide the most appropriate design for your environment. You can use these deployment goals to form one of the following comprehensive ADFS designs or a custom design that meets the needs of your environment:

  • Federated Web SSO to support business-to-business (B2B) scenarios and to support collaboration between business units with independent forests

  • Federated Web SSO with Forest Trust to support business-to-employee (B2E) scenarios

  • Web SSO to support customer access to applications in business-to-consumer (B2C) scenarios

For each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your ADFS deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information necessary to begin deploying ADFS using the guidance in the ADFS Deployment Guide.

See Also

Concepts

Understanding the ADFS Design Process Identifying Your ADFS Deployment Goals Mapping Your Deployment Goals to an ADFS Design Evaluating ADFS Design Examples Planning Partner Organization Deployments Designing a Federated Application Strategy Planning ADFS-Enabled Web Server Placement Planning Federation Server Placement Planning Federation Server Proxy Placement Planning for ADFS Capacity Finding Additional ADFS Resources Appendix A: Reviewing ADFS Requirements Appendix B: Reviewing Key ADFS Concepts Appendix C: Documenting Your ADFS Design