ADFS server roles

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) can operate only when the servers running Windows Server 2003 R2 are configured appropriately. Depending on the environment in your organization, specific ADFS server roles must be deployed. The following sections describe the server roles that can be used to provide an ADFS federated identity management solution.

Federation server

Federation servers host the Federation Service component of ADFS. They are used to route authentication requests that are made from user accounts in other organizations (in Federated Web Single-Sign-On (SSO) scenarios) or from clients that can be located anywhere on the Internet (in the Web SSO scenario). For more information about the different ADFS scenarios, see Federation scenarios.

Federation servers also host a security token service that issues tokens that are based on the credentials (for example, user name and password) that are presented to it. After the credentials are verified (by the user logging on), Claims for the user are collected through examination of the attributes for the user that are stored in Active Directory or Active Directory Application Mode (ADAM).

In Federated Web SSO scenarios, claims can then be modified by claim mappings for a specific resource partner. The claims are built into a token that is sent to a federation server in the resource partner. After a federation server in the resource partner receives the claims as incoming claims, it maps them into their organization claims. The organization claims are then built into a new token that is sent to the ADFS Web Agent.

The role that a federation server plays in either of the Federated Web SSO scenarios (Federated Web SSO or Federated Web SSO with Forest Trust) can depend on whether your organization is designated as the account partner or the resource partner:

  • Federation servers in the account partner are used to log on local user accounts in either an Active Directory store or an Active Directory Application Mode (ADAM) store. Federation servers also issue initial security tokens that the local user accounts can use to access Web-based applications that are hosted in the resource partner. In addition, federation servers in the account partner issue cookies to users to maintain login status. These cookies include claims for those users. These cookies enable SSO capabilities so that users do not have to enter credentials each time that they visit different Web-based applications in the resource partner.

  • Federation servers at the resource partner validate the security tokens that are issued by the federation servers at the account partner. Federation servers at the resource partner also issue security tokens that are meant for the Web-based applications in the resource partner. In addition, federation servers in the resource partner issue cookies to the user accounts, which come from the account partner. These cookies enable SSO capabilities so that users do not have to log in again at their federation servers in the account partner when users attempt to access different Web-based applications at the resource partner.

For more information about the account and resource partners, see Partner organizations.

Federation server proxy

Federation server proxies host the Federation Service Proxy component of ADFS. Federation server proxies can be deployed in an organization's perimeter network (also known as a demilitarized zone, extranet, or screened subnet) to forward requests to federation servers that are not accessible from the Internet.

Note

Although you can deploy separate servers to host the Federation Service Proxy component, it is not necessary to deploy a separate server to act as a federation server proxy in the intranet forest of either the account partner or the resource partner. A federation server performs this role automatically.

The role that a federation server proxy plays in your organization can depend on whether your organization is the account partner or the resource partner:

  • Federation server proxies at the account partner act as proxies for user logons to federation servers that are located in the intranet. Federation server proxies also act as proxies for security tokens that are issued by the account partner federation server for both its own tokens and those tokens that are destined for resource partners.

  • Federation service proxies in the resource partner act as proxies for user security tokens, which are issued from federation servers in both the account partner and the resource partner, to Web-based applications in the resource partner.

Web server

In ADFS, Web servers in the resource forest host the ADFS Web Agent component to provide secure access to the Web applications that are hosted on those Web servers. The ADFS Web Agent manages security tokens and authentication cookies that are sent to a Web server. The Web server requires a relationship with a Federation Service so that all authentication tokens come from that Federation Service.

The ADFS Web Agent supports two types of applications: claims-aware applications and Windows NT token–based applications. For information about these types of applications, see Controlling Access to Web-based Applications.