Share via


Web SSO Example

Applies To: Windows Server 2008

In this example, the fictitious company Adventure Works is an online retailer. The company sells products directly to customers over the Internet. The perimeter network hosts the Purchasing application and the Customer Service Web application, which are both claims-aware applications. Internet customer accounts and passwords are managed in Active Directory Lightweight Directory Services (AD LDS).

Message flow for customer remote access

The Active Directory Federation Services (AD FS)-enabled Web server that hosts the Purchasing and Customer Service applications is located in the perimeter network forest. Customers perform AD FS authentication for these applications by using the resource federation server for the AD FS-enabled Web server.

Client application request

The following illustration and corresponding steps provide a detailed description of the client application request process in AD FS using Transport Layer Security / Secure Sockets Layer (TLS/SSL).

  1. The customer uses her Web browser to open the application on the AD FS-enabled Web server.

  2. The AD FS-enabled Web server refuses the request because there is no AD FS authentication cookie, and the AD FS-enabled Web server redirects the client browser to the logon Web page on the resource federation server.

  3. The client browser requests the logon Web page from the resource federation server.

  4. The resource federation server redirects the client browser to its logon Web page.

Authenticating the user

The following illustration and corresponding steps continue to describe the client application request process in the previous section. Unless it is otherwise noted, all traffic uses TLS/SSL.

  1. The Web page of the resource federation server prompts the client for user credentials.

  2. The resource federation server does the following:

    • Validates the client's user credentials and retrieves attributes from AD LDS using the Lightweight Directory Access Protocol (LDAP).

    • Builds the security token for the AD FS-enabled Web server application.

    • Builds the AD FS authentication cookie.

  3. The resource federation server redirects the Web browser to send the POST request to the AD FS-enabled Web server:

    • The resource federation server returns an HTML page that contains Java script code, which when executed by the Web browser will result in an HTTP POST of the security token to the ADFS enabled web server.

    • The AD FS authentication cookie is written to the Web browser.

  4. The Web browser sends the POST request to the AD FS-enabled Web server.

  5. The AD FS-enabled Web server redirects the Web browser to the URL of the application:

    • The AD FS-enabled Web server validates the security token.

    • The AD FS-enabled Web server builds the new AD FS authentication cookie.

    • The AD FS authentication cookie is written to the Web browser.

  6. The Web browser requests the original application URL from the AD FS-enabled Web server with the AD FS authentication cookie.

  7. The application authorizes the user’s request, based on attributes from the security token.

The client browser requests additional application URLs from the AD FS-enabled Web server with its AD FS authentication cookie that is created by the Web server.