The Role of Attribute Stores

Active Directory Federation Services uses the term “attribute stores” to refer to directories or databases that an organization uses to store its user accounts and their associated attribute values. After it is configured in an identity provider organization, AD FS retrieves these attribute values from the store and creates claims based on that information so that a Web application or service that is hosted in a relying party organization can make the appropriate authorization decisions whenever a federated user (a user whose account is stored in the identity provider organization) attempts to access the application or service.

For more information about how claims are generated, see The Role of Claims.

How attribute stores fit in with your AD FS deployment goals

The location of the user attribute store and the location from which users authenticate determine how you design AD FS to support the user identities. Depending on where the attribute store is located and where users will access the application (in an intranet or on the Internet), you can use one of the following deployment goals:

Depending on attribute store placement and other requirements of your organization, you can combine several of these deployment goals to complete the design of your AD FS deployment.

Attribute stores that are supported by AD FS

AD FS supports a wide range of directory and database stores that you can use for extracting administrator-defined attribute values and populating claims with those values. AD FS supports any of the following directories or databases as attribute stores:

  • Active Directory in Windows Server 2003, Active Directory Domain Services (AD DS) in Windows Server 2008, AD DS in Windows Server 2012 and 2012 R2, and Windows Server 2016.

  • All editions of Microsoft SQL Server 2005, SQL Server 2008, SQL Server 2012, SQL Server 2014, and SQL Server 2016

  • Custom attribute stores