ADFS Deployment Guide
Applies To: Windows Server 2003 R2
You can use Active Directory Federation Services (ADFS) in the Microsoft® Windows Server® 2003 R2 operating system to build a federated identity management solution that can extend distributed identification, authentication, and authorization services to Web-based applications across organizational and platform boundaries. By deploying ADFS, you can extend your organization’s existing identity management capabilities to the Internet. You can deploy ADFS to:
Provide your employees or customers with a Web-based, single-sign-on (SSO) experience when they need remote access to internally hosted Web sites.
Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites from within the firewalls of your network.
Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once.
Retain complete control over your employee or customer identities without using other sign-on providers (Microsoft .NET Passport, Liberty Alliance, and others).
After you deploy ADFS, you can use it as your organization's optimal SSO solution.
About this guide
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying an ADFS design that has been preselected by you or an infrastructure specialist or system architect in your organization.
If a design has not yet been selected, we recommend that you wait to follow the instructions in this guide until after you have reviewed the various design options in the ADFS Design Guide and you have selected the most appropriate design for your organization. For more information about using this guide with a design that has already been selected, see Implementing Your ADFS Design Plan.
After you select your design and you use the worksheets in the design guide to gather the required information about claims, token types, account stores, and other items, you can then use this guide to deploy your ADFS design in your production environment. This guide provides steps for deploying any of the following primary ADFS designs:
Federated Web SSO
Federated Web SSO with Forest Trust
Use the checklists in Implementing Your ADFS Design Plan to determine how best to use the instructions in this guide to deploy your particular design. For information about hardware and software requirements for deploying ADFS, see Appendix A: Reviewing ADFS Requirements in the ADFS Design Guide.
What this guide does not provide
This guide does not provide:
Guidance regarding when and where to place federation servers, federation server proxies, or Web servers in your existing network infrastructure. For this information, see Planning Federation Server Placement, Planning Federation Server Proxy Placement and Planning ADFS-Enabled Web Server Placement in the ADFS Design Guide.
Guidance for using certification authorities (CAs) to set up ADFS.
Guidance for setting up or configuring specific Web-based applications.
Setup instructions that are specific to setting up a test lab environment. For more information about how to configure an ADFS test lab environment, see the Step-by-Step Guide for Active Directory Federation Services (http://go.microsoft.com/fwlink/?linkid=49531).
Information about how to customize federated logon screens, web.config files, or trust policy files.
Information about how to modify or remove ADFS settings on specific servers or in the trust policy. For this information, see the ADFS Operations Guide (http://go.microsoft.com/fwlink/?linkid=78683).
Overview of ADFS
ADFS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless SSO access to protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.
When an application is in one network and a user account is in another network, typically the user is prompted for secondary credentials when he or she attempts to access the application. These secondary credentials represent the user's identity in the realm where the application resides. They are usually required by the Web server that hosts the application so that it can make the most appropriate authorization decision.
With ADFS, organizations can bypass requests for secondary credentials by providing trust relationships (federation trusts) that they can use to project a user's digital identity and access rights to trusted partners. In this federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.
For more general information about ADFS, see Overview of Active Directory Federation Services (ADFS) in Windows Server 2003 R2 (http://go.microsoft.com/fwlink/?linkid=54650).