Scenario Overview
Applies To: Active Directory Federation Services (AD FS) 2.0
Scenario overview
This section includes background information about the fictional companies in this document. It also identifies their business goals and briefly describes the technologies that are used to achieve these goals.
About the fictional companies
The following fictional companies and their business needs are used in this guide:
Contoso Pharmaceuticals: An international pharmaceutical supply company that specializes in manufacturing prescription drugs for its health management organization (HMOs) customers inside and outside the United States. In a strategic effort to meet the drug-ordering demands of its customers, the IT department at Contoso has been given the task of developing and deploying a secure, Internet-accessible, SharePoint application that must also provide multiple levels of access for various internal users (Contoso employees) and external partner users at Fabrikam. To minimize the costs that are associated with maintaining the SharePoint application, the IT department must also make sure that the application does not have to use and maintain an additional account store so that internal and external users can access the application.
Fabrikam: A manufacturer of cost-efficient, wholesale pharmaceutical and chemical manufacturing supplies that is known worldwide for providing low-price supplies to drug manufacturers. Although sales have been accelerating consistently year after year for this company, there is a noticeable increase in errors in the inventory that has caused returns, reshipments, or adjustments to their key business partners such as Contoso. So that Fabrikam can maintain its strong partnership and achieve its goals for a high level of service with Contoso, Fabrikam decides to partner closely with Contoso for the purpose of completing an upcoming drug trial audit process for a new medication that Contoso currently has under development. To accomplish this goal, some Fabrikam employees need varying levels of access to the SharePoint site at Contoso.
About the lab configuration
To facilitate the partnership between the two companies and to enable managed, claims-based access (CBA) to the SharePoint site, the following federation configuration is used.
About the fictional employees
The fictional employees in the following table are used throughout the scenario in this document. You will log on to the test lab virtual machines to simulate the various federated identity and claims-based access scenarios in this guide and test different levels of access to the SharePoint application.
Employee | Role | Company |
---|---|---|
Daniel Weisman |
Drug Trial Administrator |
Contoso Pharmaceuticals |
Frank Miller |
Drug Trial Process Auditor |
Fabrikam Suppliers |
About the scenario
For this scenario, Microsoft Office SharePoint Server 2007 is the application of choice to facilitate the business partnership between the two companies, Contoso Pharmaceuticals and Fabrikam Suppliers. For SharePoint site access, Microsoft Office SharePoint Server 2007 requires roles and or user’s user names so that it can grant access to its resources. In many enterprise SharePoint deployments today, customers such as Contoso and Fabrikam use Active Directory or Active Directory Domain Services (AD DS) to obtain the role and user information that is necessary to manage and authorize access to the SharePoint Web site. In this scenario, we are going to configure Microsoft Office SharePoint Server 2007 to obtain the role and user information from AD FS 2.0 instead of from Active Directory data for authorization purposes.
Next, we will use AD FS 2.0 in the Contoso domain to control which roles are sent to Microsoft Office SharePoint Server. We will also configure a second AD FS 2.0 instance in the Fabrikam domain, to establish a federated trust relationship between the Fabrikam and Contoso domains. After this trust is established across the domains, we will also configure AD FS 2.0 in the Contoso domain to use an alternative external database as the source of the role information that it uses for SharePoint authorization. For this part of the scenario demonstration, the database that we use will be a Microsoft SQL Server® database.
The following tables briefly describe each step in this scenario, identify the user experience at that step in the scenario, and provide a link to the location in this guide for the instructions for completing that step. The entire guide includes eight steps.
Using AD FS 2.0 to provide role and user access to the SharePoint site
In steps 1 through 4, we configure Microsoft Office SharePoint Server 2007 to use AD FS 2.0 instead of Active Directory or AD DS for obtaining role and user information. In addition, we configure AD FS 2.0 in the Contoso domain to issue role and user information to the SharePoint site.
Steps | Step title | Description |
---|---|---|
Step 1 |
Set Microsoft Office SharePoint Server 2007 to accept tokens from the Contoso federation server |
For Contoso Pharmaceuticals, this step demonstrates:
|
Step 2 |
Add the Domain Admins group as Administrator for the SharePoint site |
For Contoso Pharmaceuticals, this step demonstrates:
|
Step 3 |
Configure the Contoso federation server to issue tokens to the SharePoint site |
For Contoso Pharmaceuticals, this step demonstrates:
|
Step 4 |
Add new roles to the SharePoint site |
For Contoso Pharmaceuticals, this step demonstrates:
|
Establishing a federated trust between two companies by using AD FS 2.0
In steps 5 through 7, we configure AD FS 2.0 to establish a federated trust relationship between the two companies. We also configure AD FS 2.0 to determine which roles are sent to the SharePoint server. After configuring these updates, we will then verify the authorization changes for both administrators and visitors to the site.
Steps | Step title | Description |
---|---|---|
Step 5 |
Configure the Contoso federation server to accept tokens from the Fabrikam federation server |
For Contoso Pharmaceuticals, this step demonstrates:
|
Step 6 |
Configure Fabrikam to federate and issue tokens to Contoso |
For Fabrikam Suppliers, this step demonstrates:
|
Step 7 |
Access the SharePoint site |
This step demonstrates:
|
Using a SQL Server database as an alternative to using Active Directory or AD DS as a data store
In the next step, step 8, we reconfigure AD FS 2.0 to use a Microsoft SQL Server database as an alternate data store to the Active Directory data store that we used in the previous configurations.
Steps | Step title | Description |
---|---|---|
Step 8 |
Configure the Contoso federation server to get role values from a Structured Query Language (SQL) data store |
For Contoso Pharmaceuticals, this scenario demonstrates:
|
Protecting documents and libraries using Active Directory Rights Management Services
In the next step, step 9, we reconfigure AD FS 2.0 and the SharePoint site to use Active Directory Rights Management Services (AD RMS) for digital rights management of documents. In step 10, we configure a second document library that requires stronger authentication type to access.
Steps | Step title | Description |
---|---|---|
Step 9 |
Configure AD RMS for digitally protecting documents |
For Contoso Pharmaceuticals, this scenario demonstrates:
For Fabrikam, this scenario demonstrates:
|
Step 10 |
Configure a SharePoint document library that requires stronger authentication |
For Contoso Pharmaceuticals, this scenario demonstrates:
|
Step 11 |
Configure AD FS 2.0 to permit only specific users |
For Contoso Pharmaceuticals, this scenario demonstrates:
|