Provide Federated Access for Your Employees on the Corporate Network
Applies To: Windows Server 2008
When you are the account partner administrator and you have a deployment goal to provide federated access for employees on the corporate network:
Employees who are logged on to an Active Directory forest in the corporate network can use single sign-on (SSO) to access multiple applications, which are secured by Active Directory Federation Services (AD FS), when the applications are in a different organization. For more information, see Federated Web SSO Design.
For example, A. Datum Corporation may want corporate network employees to have federated access to applications that are hosted in Trey Research.
Employees who are logged on to an Active Directory forest in the corporate network can use SSO to access multiple applications, which are secured by AD FS, in the perimeter network in your own organization. For more information, see Federated Web SSO with Forest Trust Design.
For example, A. Datum Corporation may want corporate network employees to have federated access to applications that are hosted in the A. Datum Corporation perimeter network.
Information in the Active Directory account store can be populated into the employees' AD FS tokens.
The following components are required for this deployment goal:
- Active Directory Domain Services (AD DS): AD DS contains the employees' user accounts that are used to generate AD FS tokens. Information, such as groups and attributes, is populated into AD FS tokens as group claims and custom claims. For more information about AD DS, see Appendix B: Reviewing Key AD FS Concepts.
You can also use Active Directory Lightweight Directory Services (AD LDS) to contain the identities for AD FS token generation. However, AD LDS is typically used for this purpose to host customer accounts on the perimeter network.
Corporate DNS: This implementation of Domain Name System (DNS) contains a simple host (A) resource record so that intranet clients can locate the account federation server. It may host other DNS records that are also required in the corporate network. For more information, see Name Resolution Requirements for Federation Servers.
Account federation server: The account federation server is joined to a domain in the account partner forest. It authenticates employee user accounts and generates AD FS tokens. The client computer for the employee performs Windows Integrated authentication against the account federation server to generate an AD FS token. For more information, see Review the Role of the Federation Server in the Account Partner Organization.
The account federation server can authenticate the following users:
Employees with user accounts in this domain
Employees with user accounts anywhere in this forest
Employees with user accounts anywhere in forests that are trusted by this forest (through a Windows trust)
Employee: An employee accesses an AD FS-secured Web application through a supported Web browser while he or she is logged on to the corporate network. The employee's client computer on the corporate network communicates directly with the federation server for authentication.
The following illustration shows each of the required components for this AD FS deployment goal.