Terminology used in ADFS

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory, Active Directory Application Mode (ADAM), and Web Services (WS-*). The following table describes these terms.

Term Description

account partner

A federation partner that is trusted by the Federation Service to provide security tokens. The account partner issues these tokens to its users (that is, users in the account partner realm) so that they can access Web-based applications in the resource partner.

Active Directory Federation Services (ADFS)

A Windows Server 2003 R2 component that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. ADFS in Windows Server 2003 R2 supports the WS-Federation Passive Requestor Profile (WS-F PRP).


A statement that an issuer makes (for example, name, identity, key, group, privilege, or capability) about a client.

claim mapping

The act of mapping, removing or filtering, or passing claims between various claim sets.

claims-aware application

A Microsoft ASP.NET application that performs authorization based on the claims that are present in an ADFS security token.

client account partner discovery Web page

The Web page that is used to interact with the user to determine which account partner the user belongs to when ADFS cannot automatically determine which of the account partners should authenticate the user.

client logoff Web page

When ADFS performs a logoff operation, a Web page that is executed to provide visual feedback to the user that the logoff has occurred.

client logon Web page

When ADFS collects client credentials, a Web page that is executed to perform the user interaction. The client logon Web page may use any necessary business logic to determine the type of credentials to collect.


A pair of realms or domains that have established a federation trust.

Federation Service

A security token service that is built into Windows Server 2003 R2. The Federation Service provides tokens in response to requests for security tokens.

Federation Service Proxy

A proxy to the Federation Service in the perimeter network (also known as a demilitarized zone, extranet, or screened subnet). The Federation Service Proxy uses WS-F PRP protocols to collect user credential information from browser clients and Web applications and send the information to the Federation Service on their behalf.

organization claims

Claims in intermediate or normalized form within an organization's namespace.

passive client

A Hypertext Transfer Protocol (HTTP) browser, capable of broadly supported HTTP, that can make use of cookies. ADFS in Windows Server 2003 R2 supports only passive clients, and it adheres to the WS-F PRP specification.

resource partner

A federation partner that trusts the Federation Service to issue claims-based security tokens. The resource partner contains published Web-based applications that users in the account partner can access.

security token

A cryptographically signed data unit that expresses one or more claims.

security token service (STS)

A Web service that issues security tokens. An STS makes assertions based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature to prove knowledge of a security token or set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. This forms the basis of trust brokering. In ADFS, the Federation Service is an STS.

server farm

In ADFS, a collection of load-balanced federation servers, federation server proxies, or Web servers hosting the ADFS Web Agent.

single sign-on (SSO)

An optimization of the authentication sequence to remove the burden of repeated logon actions by an end user.

token-signing certificate

An X509 certificate whose associated public/private key pair is used to provide integrity for security tokens.

Uniform Resource Identifier (URI)

A compact string of characters that identifies an abstract resource or physical resource. URIs are explained in RFC 2396 (https://go.microsoft.com/fwlink/?LinkId=48289). In ADFS, URIs are used to uniquely identify partners and account stores.

Web Services (WS-*)

The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business solutions for the extended enterprise, including the ability to manage federated identity and security.

The Web services model is based on the idea that enterprise systems are written in different languages, with different programming models, which run on and are accessed from many different types of devices. Web services are a means of building distributed systems that can connect and interact with one another easily and efficiently across the Internet, regardless of what language they are written in or what platform they run on.

Web Services Security (WS-Security)

A series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WS-Security describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. In ADFS, WS-Security is used when Kerberos signs security tokens.

Windows NT token–based application

A Windows application that relies on a Windows NT token to perform authorization of users.


A specification that defines a model and set of messages for brokering trust and the federation of identity and authentication information across different trust realms.

The WS-Federation specification identifies two sources of identity and authentication requests across trust realms: active requestors, such as SOAP-enabled applications, and passive requestors, which are defined as HTTP browsers capable of supporting broadly supported HTTP, for example, HTTP 1.1.

WS-Federation Passive Requestor Profile (WS-F PRP)

An implementation of the WS-Federation specification that proposes a standard protocol for how passive clients (such as Web browsers) apply the federation framework. Within this protocol, Web service requestors are expected to understand the new security mechanisms and be capable of interacting with Web service providers.