Federated Web SSO with Forest Trust Design

Applies To: Windows Server 2008

The Federated Web Single-Sign-On (SSO) with Forest Trust design in Active Directory Federation Services (AD FS) combines two Active Directory forests in a single organization, as shown in the following illustration.

Typically, you use this design when you want to provide employees on the corporate network and remote employees with federated access to AD FS-secured applications in the perimeter network, while using each employee's standard corporate domain credentials.

The one-way federation trust arrow in the illustration signifies the direction of the trust, which—like the direction of Windows trusts—always points to the account side of the forest. This means that authentication flows from the corporate network to the perimeter network.

Because a forest trust exists between the perimeter network and the corporate network, employee user accounts that are in the corporate network may be used to access the application, which eliminates the need for resource accounts or resource groups. A Windows NT token–based application requires that a user or group exists so that the AD FS token can be mapped into it. However, using Active Directory in the corporate network enables you to deploy the application without user accounts in the perimeter network.


If a trust is not in place between the corporate network and the perimeter network and the application in the perimeter network is a Windows NT token–based application, resource accounts or groups must exist in the perimeter network.

In this design, the single A. Datum Corporation organization combines the following AD FS deployment goals:

To learn more about the flow of AD FS communications in this design, see Federated Web SSO with Forest Trust Example.

For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO with Forest Trust design, see Checklist: Implementing a Federated Web SSO with Forest Trust Design.