Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This Active Directory Federation Services (AD FS) deployment goal builds on the goal in Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services.
When you are an administrator in the account partner organization and you have a deployment goal to provide federated access for employees to hosted resources in another organization:
Employees who are logged on to an Active Directory domain in the corporate network can use single-sign-on (SSO) functionality to access multiple Web-based applications or services, which are secured by AD FS, when the applications or services are in a different organization. For more information, see Federated Web SSO Design.
For example, Fabrikam may want corporate network employees to have federated access to Web services that are hosted in Contoso.
Remote employees who are logged on to an Active Directory domain can obtain AD FS tokens from the federation server in your organization to gain federated access to AD FS–secured Web-based applications or services that are hosted in another organization.
For example, Fabrikam may want its remote employees to have federated access to AD FS–secured services that are hosted in Contoso, without requiring the Fabrikam employees to be on the Fabrikam corporate network.
In addition to the foundational components that are described in Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services and that are shaded in the following illustration, the following components are required for this deployment goal:
Account partner federation server proxy: Employees that access the federated service or application from the Internet can use this AD FS component to perform authentication. By default, this component performs forms authentication, but it can also perform basic authentication. You can also configure this component to perform Secure Sockets Layer (SSL) client authentication if employees at your organization have certificates to present. For more information, see Where to Place a Federation Server Proxy.
Perimeter DNS: This implementation of Domain Name System (DNS) provides the host names for the perimeter network. For more information about how to configure perimeter DNS for a federation server proxy, see Name Resolution Requirements for Federation Server Proxies.
Remote employee: The remote employee accesses a Web-based application (through a supported Web browser) or a Web-based service (through an application), using valid credentials from the corporate network, while the employee is offsite using the Internet. The employee's client computer in the remote location communicates directly with the federation server proxy to generate a token and authenticate to the application or service.
After reviewing the information in the linked topics, you can begin deploying this goal by following the steps in Checklist: Implementing a Federated Web SSO Design.
The following illustration shows each of the required components for this AD FS deployment goal.