AD FS 2.0 Deployment Guide

Applies To: Active Directory Federation Services (AD FS) 2.0

You can use Active Directory® Federation Services (AD FS) 2.0 with the Windows Server® 2008 operating system to build a federated identity management solution that extends distributed identification, authentication, and authorization services to Web-based applications across organization and platform boundaries. By deploying AD FS 2.0, you can extend your organization’s existing identity management capabilities to the Internet.
You can deploy AD FS 2.0 to:
  • Provide your employees or customers with a Web-based, single-sign-on (SSO) experience when they need remote access to internally hosted Web sites or services.
  • Provide your employees or customers with a Web-based, SSO experience when they access cross-organizational Web sites or services from within the firewalls of your network.
  • Provide your employees or customers with seamless access to Web-based resources in any federation partner organization on the Internet without requiring employees or customers to log on more than once.
  • Retain complete control over your employee or customer identities without using other sign-on providers (Windows Live ID, Liberty Alliance, and others).
For more information about how AD FS 2.0 works and how to set up AD FS 2.0 in a test lab, see the following resources:

About this guide

This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying an AD FS 2.0 design that has been preselected by you or an infrastructure specialist or system architect in your organization.
If a design has not yet been selected, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the AD FS 2.0 Design Guide and you have selected the most appropriate design for your organization. For more information about using this guide with a design that has already been selected, see Implementing Your AD FS 2.0 Design Plan.
After you select your design from the design guide and gather the required information about claims, token types, attribute stores, and other items, you can use this guide to deploy your AD FS 2.0 design in your production environment. This guide provides steps for deploying either of the following primary AD FS 2.0 designs:
  • Web SSO
  • Federated Web SSO
Use the checklists in Implementing Your AD FS 2.0 Design Plan to determine how best to use the instructions in this guide to deploy your particular design. For information about hardware and software requirements for deploying AD FS 2.0, see the Appendix A: Reviewing AD FS 2.0 Requirements in the AD FS 2.0 Design Guide.

What this guide does not provide

This guide does not provide:
  • Guidance regarding when and where to place federation servers, federation server proxies, or Web servers in your existing network infrastructure. For this information, see Planning Federation Server Placement and Planning Federation Server Proxy Placement in the AD FS 2.0 Design Guide.
  • Guidance for using certification authorities (CAs) to set up AD FS 2.0
  • Guidance for setting up or configuring specific Web-based applications
  • Setup instructions that are specific to setting up a test lab environment. For more information about how to configure an AD FS 2.0 test lab environment, see AD FS 2.0 Step-by-Step and How To Guides (
  • Information about how to customize federated logon screens, web.config files, or the configuration database.

In this guide

More Here