Understanding the Federation Service Proxy Role Service

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

The Federation Service Proxy is a role service of Active Directory Federation Services (AD FS) that you can install independently from other AD FS role services. The Federation Service Proxy functions as a proxy in a perimeter network (also known as a demilitarized zone, extranet, or screened subnet) for the Federation Service. The act of installing the Federation Service Proxy role service on a computer makes that computer a federation server proxy. It also makes the Active Directory Federation Services snap-in available on that computer on the Administrative Tools menu. For more information about the Active Directory Federation Services snap-in, see Using the Active Directory Federation Services Proxy Snap-In.

A federation server proxy participates in the WS-Federation Passive Requestor Profile (WS-F PRP) protocol by communicating with a protected Federation Service on the client’s behalf. When the federation server proxy is protecting an account partner, it collects user credential information from browser clients. When the federation server proxy is protecting a resource partner, it relays requests by and for Web applications to the Federation Service.

The federation server proxy also stores Hypertext Transfer Protocol (HTTP) cookies on clients when necessary to facilitate single sign-on (SSO). The federation server proxy writes all three types of cookies: authentication cookies, account partner cookies, and sign-out cookies. For more information about cookies, see Understanding Cookies Used by AD FS.