Active Directory Federation Services snap-in

Applies To: Windows Server 2003 R2

The Active Directory Federation Services (ADFS) Microsoft Management Console (MMC) snap-in is installed when you install the Federation Service component in Add or Remove Programs in Windows Server 2003 R2, Enterprise Edition. You can use the ADFS snap-in to:

• Configure the Federation Service or federation server farm.

• Manage the trust policy that is associated with your Federation Service:

  • Administer Active Directory or Active Directory Application Mode (ADAM) Account stores.

  • Manage account partners and resource partners that will trust your Partner organizations.

  • Manage the applications that are going to be protected by ADFS.

  • Manage Claims, Certificates used by federation servers, and ADFS-protected Web applications.

Settings that you configure in the ADFS snap-in are stored partly in the Web.config file, which is located in the Federation Service virtual directory, and partly in the trust policy file. You can edit the Web.config file directly and push it out to different servers, or you can use the ADFS snap-in to modify the settings.

The trust policy file should not be edited manually. Instead, edit the trust policy file by using the ADFS snap-in, or edit it programmatically by using the ADFS object model.

Note

Scripting support is provided in the ADFS object model.

When you open the ADFS snap-in, the snap-in reads the Web.config file from the Federation Service virtual directory and notes the location of the trust policy file. The snap-in then presents a console tree hierarchy representing the Federation Service and all aspects of the trust policy, including organization claims, partners, account stores, and applications. Each item in this console tree hierarchy has context-menu options that you can use to view, modify, add, and delete trust policy entities.

Federation Service node

The Federation Service node in the console tree of the ADFS snap-in represents the local Federation Service that is assigned to the federation server on which you are viewing the snap-in. You control the local federation server configuration through this node in the ADFS snap-in. The local federation server configuration is different from the trust policy configuration in that the trust policy configuration is shared among all the federation servers in the federation server farm. The local configuration is stored in the Web.config file, and it includes the following items:

• The friendly name for the Federation Service

• The path to the trust policy file

• The local certificate to be used for signing tokens

• The Microsoft ASP.NET Web pages

• The debug logging level