When to Create a Federation Server
Applies To: Windows Server 2008
You create federation servers in your organization whenever you want to deploy any of the following Active Directory Federation Services (AD FS) designs:
When you create a federation server, you provide a means by which your organization can engage in Web single-sign-on (SSO)–based communication with another organization (that also has at least one federation server) and, when necessary, with the employees in your own organization (who need access over the Internet).
The role that a federation server plays in your organization depends on whether you place the federation server in the account partner organization or in the resource partner organization. For example, when a federation server is placed in the corporate network of the account partner, its role is to authenticate the user credentials of browser clients and send security tokens to the clients. When a federation server is placed in the corporate network of the resource partner, its role is to authenticate users, based on a security token that is issued by a federation server in the resource partner organization, or its role is to redirect token requests from configured Web applications to the account partner organization that the client belongs to.
For more information about account partner and resource partner organizations, see Planning Partner Organization Deployments.
For the Federated Web SSO and Federated Web SSO with Forest Trust designs, there must be at least one federation server in the account partner and at least one federation server in the resource partner.
If necessary, an organization that deploys a Federated Web SSO or Federated Web SSO with Forest Trust design can configure a single federation server so that it acts in both the account partner role and in the resource partner role. In this case, the federation server may produce Security Assertion Markup Language (SAML) tokens, based on user accounts in its own organization, or reroute token requests to the organization, based on where the users' accounts reside.
In the Web SSO design, where the user account exists in the same organization as the resource, it is not necessary to configure federation servers for either an account partner or a resource partner. The Federation Service, in this case, produces SAML tokens for the user that can be used directly on the resource.
Differences between federation servers and federation server proxies
Federation servers can serve out Web pages for sign-in, policy, authentication, and discovery in the same way that a federation server proxy does. The primary differences between a federation server and a federation server proxy have to do with what operations a federation server can perform that a federation server proxy cannot perform.
The following are the operations that only a federation server can perform:
The federation server performs the cryptographic operations that produce the token. Although federation server proxies cannot produce tokens, they can be used to route or redirect the tokens to clients and, when necessary, back to the federation servers. For more information about using federation server proxies, see When to Create a Federation Server Proxy.
Federation servers support the use of Windows Integrated authentication for clients on the corporate network, where federation server proxies do not. For more information about using Windows Integrated authentication with federation servers, see When to Create a Federation Server Farm.