Information Technology Reference
In-Depth Information
AD DS
ADFS-enabled
Web server
Federation trust
Internet
Account federation
server
Resource federation
server
Account
partner organization
Resource
partner organization
Figure 12-5
A federation trust relationship
Account Partners and Resource Partners
User accounts in the account partner can
be Active Directory or AD LDS user accounts. The resource partner organization hosts applica-
tions and other resources that are accessible to account partner users. When a user in the account
partner organization wants to access these resources, a federation server in the account partner's
network presents a security token representing the user's credentials to Web resources in the
resource partner's network. Based on the security token, the federation server in the resource
partner's network grants or denies access. In AD FS parlance, the user credentials packaged in
the security token are called claims.
Claims-Aware Applications
A
claim
is an agreed-on set of user attributes that both
parties in a federation trust use to determine a user's credentials, which specify the user's per-
missions to resources in the partner's network. Claims typically include a user's logon name and
group memberships and can include other attributes, such as department, title, and so forth. A
claims-aware application is an ASP.NET application that makes user authorization decisions
based on claims packaged in AD FS security tokens.
Windows NT Token Applications
Applications that aren't claims aware can still par-
ticipate in AD FS. These applications rely on Windows NT-style access tokens to determine user
authorization. These tokens contain traditional user and group security principal SIDs, and
access control lists are used to determine user permissions to a resource. An NT token-based
application is an IIS application that relies on standard Windows authentication methods rather
than claims. This type of application might be developed by using a legacy scripting language,
such as Perl or an older version of ASP that doesn't use the .NET programming interfaces.
12
The AD FS role consists of four role services that can be installed on one or more servers. The
role services that are installed usually depend on whether you're installing AD FS in an account
partner's or a resource partner's network:
•
Federation Service
—The function of the Federation Service role service depends on
whether the network where it's installed is acting as an account partner or a resource part-
ner. When used in an account partner network, its function is to gather user credentials
into claims and package them into a security token. The security token is then passed to
the federation service on the resource partner network. The federation service on the
resource partner network receives security tokens and claims from the account partner and
presents the claims to Web-based applications for authorization. Servers with this role
service installed are referred to as
federation servers
.
•
Federation Service Proxy
—Installed on servers in a perimeter network outside the corporate
firewall, a
federation service proxy
fields authentication requests from browser clients and
passes them to the federation server inside the firewall. A server configured as a federation
Search WWH ::
Custom Search