Understanding AD FS Terminology

Applies To: Windows Server 2008

Active Directory Federation Services (AD FS) uses terminology from several different technologies, including certificate services, Internet Information Services (IIS), Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), and Web Services (WS-*). The following table describes these terms.

Term Description

account federation server

The federation server that is located in the corporate network of the account partner organization. The account federation server issues security tokens to users based on user authentication. The server authenticates a user, pulls the relevant attributes and group membership information out of the account store, and generates and signs a security token to return to the user—either to be used in its own organization or to be sent to a partner organization.

account federation server proxy

The federation server proxy that is located in the perimeter network of the account partner organization. The account federation server proxy collects authentication credentials from a client that logs on over the Internet (or from the perimeter network) and passes those credentials to the account federation server.

account partner

A federation partner that is trusted by the Federation Service to provide security tokens to its users (that is, users in the account partner organization) so that they can access Web-based applications in the resource partner.

Active Directory Federation Services (AD FS)

A component in Windows Server 2003 R2 and Windows Server 2008 that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries. AD FS supports the WS-Federation Passive Requestor Profile (WS-F PRP).

AD FS Web Agent

An installable role service of AD FS that is used to create an AD FS-enabled Web server. An AD FS Web Agent consumes incoming security tokens and authentication cookies that are signed by a valid federation server—to either allow or deny a user access to the protected application—while taking into consideration application-specific access control settings.

AD FS-enabled Web server

A Web server running Windows Server 2003 R2 or Windows Server 2008 that is configured with the appropriate AD FS Web Agent software—either the claims-aware agent or the Windows token–based agent—which is necessary for authenticating and authorizing federated access to locally hosted, Web-based applications.

claim

A statement that a server makes (for example, name, identity, key, group, privilege, or capability) about a client.

claims-aware application

A Microsoft ASP.NET application that performs authorization based on the claims that are present in an AD FS security token.

claim mapping

The act of mapping, removing or filtering, or passing claims between various claim sets.

client account partner discovery Web page

The Web page that interacts with the user to determine which account partner the user belongs to when AD FS cannot automatically determine which of the account partners should authenticate the user.

client authentication certificate

In AD FS, a certificate that federation server proxies use to authenticate a client to the Federation Service.

client logoff Web page

When AD FS performs a logoff operation, a Web page that is started to provide visual feedback to the user that the logoff has occurred.

client logon Web page

When AD FS collects client credentials, a Web page that is started to perform the user interaction. The client logon Web page may use any necessary business logic to determine the type of credentials to collect.

federated application

A Web-based application that is AD FS-enabled, which means that federated users can access it.

federated user

A user, whose account resides in an account partner organization, who can access federated applications that reside in a resource partner organization.

federation

A pair of realms or domains that have established a federation trust.

federation server

A computer running Windows Server 2003 R2 or Windows Server 2008 that has been configured to host the Federation Service component of AD FS. Federation servers can authenticate or route requests from user accounts in other organizations and from clients that can be located anywhere on the Internet.

federation server proxy

A computer running Windows Server 2003 R2 or Windows Server 2008 that has been configured to host the Federation Service Proxy component of AD FS. Federation server proxies provide intermediary proxy services between an Internet client and a federation server that is located behind a firewall on a corporate network.

Federation Service

An installable role service of AD FS that is used to create a federation server. When it is installed, the Federation Service provides tokens in response to requests for security tokens. Multiple federation servers can be configured to provide fault tolerance and load balancing for a single Federation Service.

Federation Service Proxy

An installable role service of AD FS that is used to create a federation server proxy. When it is installed, the Federation Service Proxy role service uses WS-F PRP protocols to collect user credential information from browser clients and Web applications and send the information to the Federation Service on their behalf.

organization claims

Claims in intermediate or normalized form within an organization's namespace.

passive client

A Hypertext Transfer Protocol (HTTP) browser, which is capable of broadly supported HTTP, that can use cookies. AD FS in Windows Server 2003 R2 and Windows Server 2008 supports only passive clients, and it adheres to the WS-F PRP specification.

resource account

A single security principal—usually a user account—that is created in AD DS and used to map to a single federated user. A resource account is required when you federate Windows NT token–based applications because the Windows token–based agent must refer to an Active Directory security principal in the resource partner forest to build the Windows NT access token and thereby enforce access control permissions on the application.

resource federation server

The federation server in the resource partner organization. The resource federation server typically issues security tokens to users based on a security token that is issued by an account federation server. The server

  • Receives the security token.

  • Verifies the signature.

  • Transforms the organizational claims based on its trust policy.

  • Generates a new security token based on information in the incoming security token.

  • Signs the new token to return to the user and ultimately to the Web application.

resource federation server proxy

The federation server proxy that is located in the perimeter network of the resource partner organization. The resource federation server proxy performs account partner discovery for Internet clients, and it redirects incoming security tokens to the resource federation server.

resource group

A single security group, which is created in AD DS, that incoming group claims (AD FS group claims from the account partner) are mapped to. After federated users have been mapped to a resource group, AD FS-enabled Web servers can make authorization decisions to Windows NT token–based applications based on the access permissions that are assigned to the security identifier (SID) for the resource group.

resource partner

A federation partner that trusts the Federation Service to issue claims-based security tokens for Web-based applications (that is, applications in the resource partner organization) that users in the account partner can access.

security token

A cryptographically signed data unit that expresses one or more claims. In AD FS, a signed security token indicates that the federation server that issues the security token has successfully verified the authenticity of the federated user.

security token service (STS)

A Web service that issues security tokens. An STS makes assertions, based on evidence that it trusts, to whoever trusts it (or to specific recipients). To communicate trust, a service requires proof, such as a signature to prove knowledge of a security token or a set of security tokens. A service itself can generate tokens or it can rely on a separate STS to issue a security token with its own trust statement. This forms the basis of trust brokering. In AD FS, the Federation Service is an STS.

server authentication certificate

AD FS-enabled Web servers, federation servers, and federation server proxies use server authentication certificates to secure Web services traffic for communication among themselves as well as with Web clients.

server farm

In AD FS, a collection of load-balanced federation servers, federation server proxies, or Web servers that host the AD FS Web Agent.

single sign-on (SSO)

An optimization of the authentication sequence to remove the burden of repeated logon actions by an end user.

token-signing certificate

An X.509 certificate whose associated public/private key pair is used by federation servers to digitally sign all security tokens that the federation servers produce.

Uniform Resource Identifier (URI)

A compact string of characters that identifies an abstract resource or physical resource. URIs are explained in Request for Comments (RFC) 2396 (https://go.microsoft.com/fwlink/?LinkId=48289). In AD FS, URIs are used to uniquely identify partners and account stores.

verification certificate

A certificate that represents the public key portion of a token-signing certificate. A verification certificate is stored in the trust policy and used by the federation server in one organization to verify that incoming security tokens have been issued by valid federation servers in the organization's farm and in other organizations.

Web Services

(WS-*)

The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business solutions for the extended enterprise, including the ability to manage federated identity and security.

The Web services model is based on the idea that enterprise systems are written in different languages, with different programming models, which run on and are accessed from many different types of devices. Web services are a means of building distributed systems that can connect and interact with one another easily and efficiently across the Internet, regardless of what language they are written in or what platform they run on.

Web Services Security (WS-Security)

A series of specifications that describes how to attach signature and encryption headers to SOAP messages. In addition, WS-Security describes how to attach security tokens, including binary security tokens, such as X.509 certificates and Kerberos tickets, to messages. In AD FS, WS-Security is used when Kerberos signs security tokens.

Windows NT token–based application

A Windows application that relies on a Windows NT token to perform authorization of users.

WS-Federation

A specification that defines a model and a set of messages for brokering trust and the federation of identity and authentication information across different trust realms.

The WS-Federation specification identifies two sources of identity and authentication requests across trust realms:

  • Active requestors, such as SOAP-enabled applications

  • Passive requestors, which are defined as HTTP browsers that can support broadly supported versions of HTTP, for example, HTTP 1.1

WS-Federation Passive Requestor Profile (WS-F PRP)

An implementation of the WS-Federation specification that proposes a standard protocol for how passive clients (such as Web browsers) apply the federation framework. Within this protocol, Web service requestors are expected to accept the new security mechanisms and be capable of interacting with Web service providers.