聯盟的網路 SSO 設計Federated Web SSO Design

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Active Directory 同盟服務 (AD FS) 的聯盟網路 Single-Sign-On (SSO) 設計涉及安全通訊跨多個防火牆、周邊網路及 name\ 高解析度的伺服器,除了整個網際網路路由基礎結構。The Federated Web Single-Sign-On (SSO) design in Active Directory Federation Services (AD FS) involves secure communication that spans multiple firewalls, perimeter networks, and name-resolution servers—in addition to the entire Internet routing infrastructure.

建立聯盟信任關係,允許使用者在組織中的兩個組織同意時,此設計通常會使用 \ (account 合作夥伴 organization) Web\ 為基礎的應用程式或服務,AD FS 其他公司會受到 \ (資源合作夥伴 organization)。Typically, this design is used when two organizations agree to create a federation trust relationship to allow users in one organization (the account partner organization) to access Web-based applications or services, which are secured by AD FS, in the other organization (the resource partner organization).

囉聯盟信任關係是 business\ 層級合約或合作關係之間兩個組織都更能襯托。In other words, a federation trust relationship is the embodiment of a business-level agreement or partnership between two organizations. 下圖所示,您可以建立兩個企業而言,會導致 end\ to\ 高階聯盟案例中的有聯盟信任關係。As shown in the following illustration, you can establish a federation trust relationship between two businesses, which results in an end-to-end federation scenario.

聯盟的網路 sso

One\ 向中的箭號圖示表示聯盟的方向信任的-喜歡 Windows 信任的方向,隨時 account 側邊的樹系點。The one-way arrow in the illustration signifies the direction of the federation trust, which—like the direction of Windows trusts—always points to the account side of the forest. 這表示驗證流量 account 合作夥伴公司的資源合作夥伴組織。This means that authentication flows from the account partner organization to the resource partner organization.

在這種聯盟網路 SSO 設計,有兩個聯盟伺服器 \(中 Fabrikam 和到其他 Contoso\)路由來自帳號驗證要求 Fabrikam Web\ 為基礎的應用程式或服務 Contoso 中的。In this Federated Web SSO design, two federation servers (one in Fabrikam and the other in Contoso) route authentication requests from user accounts in Fabrikam to Web-based applications or services in Contoso.

注意

取得額外安全性時,您可以使用聯盟伺服器 proxy 轉送要求聯盟伺服器的不是從網際網路直接存取。For additional security, you can use federation server proxies to relay requests to federation servers that are not directly accessible from the Internet.

在此範例中,Fabrikam 是的身分或帳號,提供者。In this example, Fabrikam is the identity, or account, provider. 聯盟網路 SSO 設計的 Fabrikam 部分使用下列 AD FS 部署目標:The Fabrikam portion of the Federated Web SSO design uses the following AD FS deployment goal:

Contoso 是資源提供者。Contoso is the resource provider. 聯盟網路 SSO 設計的部分 Contoso 達成下列 AD FS 部署目標:The Contoso portion of the Federated Web SSO design achieves the following AD FS deployment goals:

如需詳細的工作,您可以使用計劃和部署的聯盟網路 SSO 設計的清單,請查看檢查清單︰ 實作聯盟網路 SSO 設計For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO design, see Checklist: Implementing a Federated Web SSO Design.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012