Provide SSO Access for Customers to Your Hosted Applications

Applies To: Windows Server 2008

When your Active Directory Federation Services (AD FS) deployment goal is to provide single-sign-on (SSO) access for customer accounts to hosted applications that are secured by AD FS:

  • Customers who are logged on to the Active Directory Lightweight Directory Services (AD LDS) account store, which is hosted in your perimeter network, can access multiple AD FS-secured applications, which are also hosted in your perimeter network, by logging on one time from client computers that are located on the Internet.

    In other words, when you host customer accounts to enable access to applications in your perimeter network, customers that you host in an account store can access one or more applications in the perimeter network simply by logging on once to the Federation Service. For more information, see Web SSO Design.

  • Information in the AD LDS account store can be populated into customers' AD FS tokens.

The following components are required for this AD FS deployment goal:

  • Active Directory Domain Services (AD DS): An Active Directory domain is required only for the resource federation server. It is not used to host customer accounts.

  • AD LDS: AD LDS is used to contain the customer accounts that will be used to generate AD FS tokens. For more information about AD DS or AD LDS, see Appendix B: Reviewing Key AD FS Concepts.


You can also use AD DS to contain customer accounts that will be used to generate AD FS tokens.

  • Account/resource federation server: This federation server serves in both the account role and the resource role. The account/resource federation server is configured so that the Federation Service includes values for both an application and an account store—in this case, AD LDS—that contains the customer accounts. For more information, see Review the Role of the Federation Server in the Account Partner Organization and Review the Role of the Federation Server in the Resource Partner Organization.

  • AD FS-enabled Web server: The AD FS-enabled Web server can host a claims-aware application or a Windows NT token–based application. The AD FS Web Agent confirms that it receives valid AD FS tokens from customer accounts before it allows access to the protected Web site. For more information, see When to Create an AD FS-Enabled Web Server.

  • Customer: While on the Internet, the customer accesses an AD FS-secured Web application through a supported Web browser. The customer client computer on the Internet communicates directly with the federation server for authentication.

The following illustration shows each of the required components for this AD FS deployment goal. In this case, because AD DS is used only to support the federation server's requirement to be joined to a domain, it is shaded in this illustration.