同盟網頁 SSO 設計Federated Web SSO Design

適用於:Windows Server 2016 中,Windows Server 2012 R2 中,Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

同盟網頁單一-登-上(SSO) Active Directory Federation Services 中的設計(AD FS)牽涉到安全的通訊,跨越多個防火牆、 周邊網路和名稱-解析伺服器 — 除了整個網際網路路由基礎結構。The Federated Web Single-Sign-On (SSO) design in Active Directory Federation Services (AD FS) involves secure communication that spans multiple firewalls, perimeter networks, and name-resolution servers—in addition to the entire Internet routing infrastructure.

一般而言,這種設計可在兩個組織同意建立同盟信任關係,以允許在一個組織中的使用者(帳戶夥伴組織)來存取 Web-基礎應用程式或服務其中受保護的其他組織中的 AD FS(資源夥伴組織)。Typically, this design is used when two organizations agree to create a federation trust relationship to allow users in one organization (the account partner organization) to access Web-based applications or services, which are secured by AD FS, in the other organization (the resource partner organization).

換句話說,同盟信任關係是企業的體現-層級協議或兩個組織之間的合作關係。In other words, a federation trust relationship is the embodiment of a business-level agreement or partnership between two organizations. 下圖所示,您可以建立兩家公司,這會產生結束之間的同盟信任關係-至-端同盟案例。As shown in the following illustration, you can establish a federation trust relationship between two businesses, which results in an end-to-end federation scenario.

同盟的網頁 sso

一個-向箭號,在圖中表示的同盟信任 」,這 — 像是 Windows 信任方向 — 一律指向樹系的帳戶端。The one-way arrow in the illustration signifies the direction of the federation trust, which—like the direction of Windows trusts—always points to the account side of the forest. 這表示從帳戶夥伴組織到資源夥伴組織的驗證流程。This means that authentication flows from the account partner organization to the resource partner organization.

在此同盟網頁 SSO 設計中,兩部同盟伺服器(Fabrikam 和 Contoso 中另一個)路由驗證要求,從使用者帳戶的 Fabrikam web-基礎應用程式或 Contoso 中的服務。In this Federated Web SSO design, two federation servers (one in Fabrikam and the other in Contoso) route authentication requests from user accounts in Fabrikam to Web-based applications or services in Contoso.

注意

為了增加安全性,您可以使用同盟伺服器 proxy 將要求轉送至無法直接從網際網路存取的同盟伺服器。For additional security, you can use federation server proxies to relay requests to federation servers that are not directly accessible from the Internet.

在此範例中,Fabrikam 是身分識別或帳戶提供者。In this example, Fabrikam is the identity, or account, provider. 同盟網頁 SSO 設計的 Fabrikam 部分會使用下列的 AD FS 部署目標:The Fabrikam portion of the Federated Web SSO design uses the following AD FS deployment goal:

Contoso 是資源提供者。Contoso is the resource provider. 同盟網頁 SSO 設計的 Contoso 部分會達成下列的 AD FS 部署目標:The Contoso portion of the Federated Web SSO design achieves the following AD FS deployment goals:

如需您可用來規劃和部署同盟網頁 SSO 設計的詳細工作的清單,請參閱檢查清單:實作同盟的網頁 SSO 設計For a list of detailed tasks that you can use to plan and deploy the Federated Web SSO design, see Checklist: Implementing a Federated Web SSO Design.

另請參閱See Also

Windows Server 2012 中 AD FS 設計指南AD FS Design Guide in Windows Server 2012