Information Technology Reference
In-Depth Information
service proxy protects the federation server from exposure to the Internet. The Federation
Service and Federation Service Proxy role services can't be installed on the same server.
•
AD FS Web agents
—A Web server can host the Claims-aware agent or the Windows
token-based agent role service. These servers are called
ADFS-enabled Web servers
. Web
agents manage security tokens sent by a federation server to determine whether the user
whose credentials are described in the token can access applications hosted by the ADFS-
enabled Web server. The two role services that are available are as follows:
• Claims-aware agent: An AD FS Web agent that handles security tokens using claims.
• Windows token-based agent: An AD FS Web agent that handles Windows NT-based tokens.
AD FS can be deployed in several situations. Depending on the situation, you might use a com-
bination of the AD FS role services to address the organization's federated identity needs. The
AD FS designs discussed in the following sections address the federated identity needs most
organizations are likely to have.
Web SSO
The simplest of the AD FS designs, the
Web SSO
provides single sign-on access to
multiple Web applications for users who are external to the corporate network. This design is most
often used in consumer-to-business relationships. There's no federation trust between federation
servers, as with other AD FS designs, because this design has only one federation server. Usually, it
consists of a federation server inside the corporate firewall and a federation proxy server connected
to the internal corporate network as well as an Internet-accessible perimeter network. In addition,
it contains one or more ADFS-enabled Web servers, also Internet accessible, that are connected to
the corporate network. Clients requiring access to Web applications need to log on only once. A
username and password must be created for each user in a directory service, such as AD LDS.
Credentials are presented to the federation proxy server, which forwards them to the internal fed-
eration server, which in turn issues a security token after successful authentication. Figure 12-6
illustrates the following process for authenticating to an ADFS-enabled Web application:
The perimeter network in the figure is sometimes referred to as a DMZ,
and there's a firewall (not shown) between the perimeter network and the
internal network.
1. A user attempts to access an application on the ADFS-enabled Web server.
2. The ADFS-enabled Web server refuses access and redirects the browser to the federation
proxy server's logon page.
Perimeter
network
Internal
network
6
ADFS-enabled
Web server
AD LDS
5
4
7
Internet client
Federation
server
Federation
proxy
AD DS
Niftytools.com
Figure 12-6
Web SSO authentication and authorization
Search WWH ::
Custom Search