2.2.2 STS Deployed on the Edge

For security and privacy reasons, a security token service (STS), which is a core part of AD FS, is often deployed behind a firewall. In this scenario, some type of proxy is placed between the STS and the external network from which the requests for resources, services, or authentication will come. A proxy such as this is configured to interact securely with both the requestor (on the outside) and AD FS (on the inside).

  • ADFSPP (Active Directory Federation Services Proxy Protocol)

    The Active Directory Federation Services (AD FS) Proxy Protocol [MS-ADFSPP] defines a means for AD FS to communicate with an STS proxy that is on the edge of a protected corporate network. Primarily, ADFSPP is used by the STS proxy to communicate the credentials of a user to the STS inside the protected network for the purpose of generating a security token when that user is participating in WS-Federation-style single sign-on (SSO) activity, specifically using the MWBF Protocol.

    ADFSPP also provides a means for the STS proxy to obtain configuration data from the STS inside the protected network. This configuration data is useful for users when selecting an acceptable security realm from which to obtain a security token.

  • SAMLPR (SAML Proxy Request Signing Protocol)

    The Security Assertion Markup Language (SAML) Proxy Request Signing Protocol provides a means for proxy servers to contact an STS server to request SAML signature operations upon messages that are being sent as well as related tasks. This protocol is used when the proxy server needs to perform operations that require knowledge of configured keys and other state information about federated sites known by the STS server.

  • ADFSPIP (Active Directory Federation Services and Proxy Integration Protocol)

    Rather than allowing a web client to have access into the network behind a firewall to discover services and authenticate for their use, a proxy can be placed outside the firewall. This proxy can then be used to publish the services that are available behind the firewall and also to forward authentication requests to the AD FS server, that is, the STS, that is also behind the firewall. To be successful, the proxy has to have a trust relationship with AD FS and the services behind the firewall, and have access to information about what services are available. The Active Directory Federation Services and Proxy Integration Protocol [MS-ADFSPIP] establishes this trust and access.

    The primary participants in this protocol are the Web Application Proxy (WAP) that is outside the firewall and the AD FS server or servers that are behind the firewall.