Understanding Federation Trusts
Applies To: Windows Server 2008
You can use Active Directory Federation Services (AD FS) to enable efficient and secure online transactions between partner organizations that are joined by federation trust relationships. In other words, a federation trust is the embodiment of a business-level agreement or partnership between two organizations.
As shown in the following illustration, you can establish federation trust relationships between two partner organizations when both of the organizations deploy at least one AD FS federation server and they configure their Federation Service settings appropriately. The one-way arrow signifies the direction of the trust, which—like the direction of Windows trusts—always points to the account side of the forest. This means that authentication flows from the account partner organization to the resource partner organization.
Unlike Windows trusts, which require a constantly connected secure channel between two or more domains to function, federation trusts do not require this channel because no direct communication occurs over the network between the account Federation Service and the resource Federation Service when you establish the federation trust.
After you create the federation trust, users who are located in the account partner organization can send authentication requests successfully through the federation trust to the AD FS-enabled Web server in the resource partner organization. A federation trust is created when the account partner organization and the resource partner organization both install the Federation Service component of AD FS and they both use the Active Directory Federation Services snap-in to configure the account partner and resource partner appropriately.
If one side of a federation trust (either the account partner or the resource partner) is not configured or if it is configured incorrectly by the administrator for either organization, the federation trust will not be created successfully. For detailed information about how to create federation trusts, look for AD FS step-by-step or deployment content on the Active Directory Federation Services home page (http://go.microsoft.com/fwlink/?LinkId=91867).
Federation trusts are not used in the AD FS Web Single-Sign-On (SSO) design. For more information about the Web SSO design, see Understanding Federation Designs.