AD FS 2.0 Design Guide
Updated: April 28, 2011
Applies To: Active Directory Federation Services (AD FS) 2.0
You can use AD FS 2.0 in a federation services provider role to seamlessly authenticate your users to any Web-based services or applications that reside in a resource partner organization, without the need for administrators to create or maintain external trusts or forest trusts between the networks of both organizations and without the need for the users to log on a second time. The process of authenticating to one network while accessing resources in another network—without the burden of repeated logon actions by users—is known as single sign-on (SSO).
For more information about how AD FS 2.0 works and how to set up AD FS 2.0 in a test lab, see the following resources:
|You can find additional AD FS 2.0 resource links at the AD FS 2.0 Content Map page on the Microsoft TechNet Wiki. This page is managed by members of the AD FS 2.0 Community and is monitored on a regular basis by the AD FS Product Team.|
This guide provides recommendations to help you plan a new deployment of AD FS 2.0, based on the requirements of your organization (also referred to in this guide as deployment goals) and the particular design that you want to create. This guide is intended for use by an infrastructure specialist or system architect. It highlights your main decision points as you plan your AD FS 2.0 deployment. Before you read this guide, you should have a good understanding of how AD FS 2.0 works on a functional level. You should also have a good understanding of the organizational requirements that will be reflected in your AD FS 2.0 design.
This guide describes a set of deployment goals that are based on three primary AD FS 2.0 designs, and it helps you decide the most appropriate design for your environment. You can use these deployment goals to form one of the following comprehensive AD FS 2.0 designs or a custom design that meets the needs of your environment:
Federated Web SSO to support business-to-business (B2B) scenarios and to support collaboration between business units with independent forests
Web SSO to support customer access to applications in business-to-consumer (B2C) scenarios
For each design, you will find guidelines for gathering the required data about your environment. You can then use these guidelines to plan and design your AD FS 2.0 deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information necessary to begin deploying AD FS 2.0 using the guidance in the AD FS 2.0 Deployment Guide.
Understanding Key Concepts Before You Deploy AD FS 2.0
Identifying Your AD FS 2.0 Deployment Goals
Mapping Your Deployment Goals to an AD FS 2.0 Design
Determine Your AD FS 2.0 Deployment Topology
Planning Your Deployment
Planning Federation Server Placement
Planning Federation Server Proxy Placement
Planning for AD FS 2.0 Server Capacity
Appendix A: Reviewing AD FS 2.0 Requirements
Author: Nick Pierson
Technical Reviewers: Matt Steele, Lu Zhao (Migration/Topologies), Jen Field (Capacity Planning/Topologies), Jan Alexander (Claims Engine/Pipeline/Language), Krish Shenoy (Planning Federation Servers and Federation Server Proxies)
Editor: Jim Becker