Updated: July 9, 2020 (February 20, 2006)

ADFS Federated Identity Scenario

Michael analyzed and wrote about Microsoft's operating systems, including the Windows client OS, as well as compliance and governance. Michael... more

With Windows Server 2003 R2, Active Directory Federation Services (ADFS) can give users single sign-on (SSO) to a partner’s Web application. Here is a typical scenario:

(1) A user at the account partner navigates her browser to a Web application hosted by the resource partner.

(2) An ADFS Web Services Agent on the resource partner’s Web server, which must be Internet Information Services (IIS) 6.0, looks for a security token. If the user doesn’t have one, it sends the request to the resource partner’s ADFS server.

(3) The resource partner’s ADFS server looks at its list of federated account partners to determine where it needs to send the user to get a security token. The first attempt to access the resource partner’s Web application is called a home-realm discovery. Here, the resource partner’s ADFS server will ask the user to provide some identifying data, such as her e-mail address. On subsequent visits, a cookie will tell the resource partner’s ADFS server which account partner she belongs to.

Atlas Members have full access

Get access to this and thousands of other unbiased analyses, roadmaps, decision kits, infographics, reference guides, and more, all included with membership. Comprehensive access to the most in-depth and unbiased expertise for Microsoft enterprise decision-making is waiting.

Membership Options

Already have an account? Login Now