May 29, 2013 Leave a comment
At a minimum, deploying AD FS 2.0 within a single organisation requires the following infrastructure:
- Active Directory – AD FS 2.0 requires Active Directory to authenticate users. This can be any version of AD, and does not require a specific schema revision, or domain or forest functional level.
- Active Directory Federation Services 2.0 – Deploying AD FS in a single organisation requires a minimum of one AD FS 2.0 server. In its simplest configuration, this server will be configured with a claims provider trust to the corporate Active Directory (this is configured by default on every AD FS 2.0 server), and a relying party trust for each application that will be consuming claims produced by this AD FS server. By default, internal users will authenticate to the AD FS server via Integrated Windows Authentication in order to obtain AD FS tokens that they will present to any relying party applications. A single AD FS server can authenticate users in the same domain as the ADFS server, in any domain within the same Active Directory forest, and any users in any trusted forest.
- Domain Name System (DNS) – The DNS requirements for the WebSSO deployment are fairly straightforward. All clients must be able to resolve the A record of the federation server and any relying party applications, in addition to the DNS requirements associated with Active Directory authentication (SRV records, and so on). If a Federation Server proxy (FSP) has been deployed, this will potentially add to the DNS requirements in this scenario.