Provide Federated Access for Your Hosted Applications

Applies To: Windows Server 2008

When you are the resource partner administrator and you have a deployment goal to provide federated access to an application that resides in your organization (the resource partner organization), federated users both in your organization and in organizations that have configured a federation trust to your organization can access the Active Directory Federation Services (AD FS)–secured application that is hosted by your organization. For more information, see Federated Web SSO Design and Federated Web SSO with Forest Trust Design.

The following components are required for this deployment goal:

  • Active Directory Domain Services (AD DS): The resource federation server must be joined to an Active Directory domain. If Windows NT token–based applications are supported, the domain also serves as the store that contains the resource accounts or resource groups. Claims-aware applications do not require local accounts in AD DS. For more information about resource accounts and resource groups, see Determine Your Resource Account Mapping Method.

  • Perimeter DNS: This implementation of Domain Name System (DNS) contains a simple host (A) resource record so that clients can locate the resource federation server and the AD FS-enabled Web server. The DNS server may host other DNS records that are also required in the perimeter network. For more information, see Name Resolution Requirements for Federation Servers and Name Resolution Requirements for AD FS-Enabled Web Servers.

  • Resource federation server: The resource federation server validates AD FS tokens that the account partners send. Account partner discovery is performed through this federation server. For more information, see Review the Role of the Federation Server in the Resource Partner Organization.

  • AD FS-enabled Web server: The AD FS-enabled Web server can host a claims-aware application or a Windows NT token–based application. (The following illustration shows a claims-aware application.) The AD FS Web Agent confirms that it receives valid AD FS tokens from federated users before it allows access to the protected Web site. For more information, see When to Create an AD FS-Enabled Web Server.

The following illustration shows each of the required components for this AD FS deployment goal.