Share via

AD FS 2.0 Deployment Guide

Applies To: Active Directory Federation Services (AD FS) 2.0

You can use Active Directory® Federation Services (AD FS) 2.0 with the Windows Server® 2008 operating system to build a federated identity management solution that extends distributed identification, authentication, and authorization services to Web-based applications across organization and platform boundaries. By deploying AD FS 2.0, you can extend your organization’s existing identity management capabilities to the Internet.

You can deploy AD FS 2.0 to:

  • Provide your employees or customers with a Web-based, single-sign-on (SSO) experience when they need remote access to internally hosted Web sites or services.

  • Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites or services from within the firewalls of your network.

  • Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once.

  • Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others).

For more information about how AD FS 2.0 works and how to set up AD FS 2.0 in a test lab, see the following resources:


You can find additional AD FS 2.0 resource links at the AD FS 2.0 Content Map page on the Microsoft TechNet Wiki. This page is managed by members of the AD FS 2.0 Community and is monitored on a regular basis by the AD FS Product Team.

About this guide

This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying an AD FS 2.0 design that has been preselected by you or an infrastructure specialist or system architect in your organization.

If a design has not yet been selected, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the AD FS 2.0 Design Guide and you have selected the most appropriate design for your organization. For more information about using this guide with a design that has already been selected, see Implementing Your AD FS 2.0 Design Plan.

After you select your design from the design guide and gather the required information about claims, token types, attribute stores, and other items, you can use this guide to deploy your AD FS 2.0 design in your production environment. This guide provides steps for deploying either of the following primary AD FS 2.0 designs:

  • Web SSO

  • Federated Web SSO

Use the checklists in Implementing Your AD FS 2.0 Design Plan to determine how best to use the instructions in this guide to deploy your particular design. For information about hardware and software requirements for deploying AD FS 2.0, see the Appendix A: Reviewing AD FS 2.0 Requirements in the AD FS 2.0 Design Guide.

What this guide does not provide

This guide does not provide:

In this guide


Author: Nick Pierson

Technical Reviewers: Matt Steele, Lu Zhao (Migration)

Editor: Jim Becker