Active Directory Federation Services Overview


Active Directory Federation Service (AD FS) enables Federated Identity and Access Management by securely sharing digital identity and entitlements rights across security and enterprise boundaries. AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.


Active Directory Federation Service provides a secure, reliable, scalable, and extensible identity federation solution. The flexible architecture supports SAML token types, various client authentication methods such as Kerberos, X.509 and user name/password, and different user identity stores, such as Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). This flexibility allows AD FS to co-exist with the existing Windows security and trust infrastructures.

The AD FS API comprises the following namespaces.

Where Applicable

The System.Web.Security.SingleSignOn namespace is used on the Federation Server to create and administer Federation Trusts, including claims, transforms, trust policies, logs, and configuration between the trusting and trusted realms. The System.Web.Security.SingleSignOn.Authorization namespace is used on the Federation Server for claim transformation extensibility.

Developer Audience

The Active Directory Federation Services namespaces System.Web.Security.SingleSignOn and System.Web.Security.SingleSignOn.Authorization are intended for use by web-based application developers, both internally and externally focused and ISVs developing extranet-focused applications. Familiarity with .NET Framework programming using Visual Basic or Visual C# is required. Knowledge of claims supported by the trusted Federation Server realm is required. Knowledge of System.Web and System.Web.Security programming is also helpful.

Run-time Requirements

Active Directory Federation Services supports both Windows 2000 Server and Windows Server 2003 forests. System.Web.Security.SingleSignOn requires IIS 6.0 and Windows Server 2003 R2.

See Also