Web SSO Design

Applies To: Windows Server 2008

In the Web Single-Sign-On (SSO) design in Active Directory Federation Services (AD FS), users must authenticate only once to access multiple AD FS-secured applications. In this design all users are external, and no federation trust exists because there are no partners. Typically, you deploy this design when you want to provide customer access to one or more AD FS-secured applications over the Internet, as shown in the following illustration.

With the Web SSO design, an organization that typically hosts an AD FS-secured application in a perimeter network can maintain a separate store of customer accounts in the perimeter network, which makes it easier to isolate customer accounts and employee accounts.

You can manage the local accounts for customers in the perimeter network by using either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) as the account store.

This design coincides with the deployment goal to provide SSO access for customers to your hosted applications. For more information, see Provide SSO Access for Customers to Your Hosted Applications.

To learn more about the flow of AD FS communications in this design, see Web SSO Example.

For a list of detailed tasks that you can use to plan and deploy your Web SSO design, see Checklist: Implementing a Web SSO Design.