Federated Web SSO Example
Applies To: Windows Server 2008
In this scenario, the fictitious company A. Datum Corporation has employees that work at their corporate offices and mobile employees that work at their homes. As with any other company, office supplies must be ordered from other retailers for the A. Datum employees. When users need to be authenticated, the account partner discovery page on the federation server in Trey Research always returns a URL for the external Federation Service Proxy.
Note
Domain Name System (DNS) servers in the perimeter network must be configured to resolve the host name of the Federation Service URL to the federation server proxy for employees that authenticate from home or on the road.
As shown in the following illustration, employee sessions may originate from the corporate network for an office employee or from the Internet for a remote employee. Office employees are authenticated transparently to the federation server through their desktop logon sessions. Mobile employees are authenticated through passwords and forms authentication or, if it is configured, through client Secure Sockets Layer (SSL).
All the Active Directory Federation Services (AD FS)–enabled Web servers in the perimeter network of Trey Research are exposed directly to the Internet, without a federation server proxy. They are protected only by a firewall that screens out non-Web traffic. In a production environment, a business like Trey Research would probably deploy proxy servers in front of its Web farm servers. In this example, a proxy is omitted for the sake of clarity because it complicates the message flow with extra steps.
Message flow for federation through internal access
The AD FS-enabled Web server that is hosted by the online retailer is located in the perimeter network. When the office employees connect to the AD FS-enabled Web server directly, they are redirected to the default logon URL at the resource federation server proxy. Then, the employees must use home realm discovery to select the Federation Service endpoint URL. Corporate network DNS servers resolve that URL to the IP address of the internal account federation server.
An office employee authenticates by using his currently logged-on desktop session credentials and integrated authentication at an internal account federation server in the corporate network. The account federation server and Active Directory Domain Services (AD DS) in the corporate network are used to validate the office employee's credentials and obtain attributes for building a Security Assertion Markup Language (SAML) security token.
Client application request
The following illustration and corresponding steps provide a description of the client application request process in AD FS using Transport Layer Security / Secure Sockets Layer (TLS/SSL).
The office employee uses his Web browser to open an application on the AD FS-enabled Web server.
The AD FS-enabled Web server refuses the request because there is no AD FS authentication cookie. The Web server redirects the client browser to the logon Web page on the resource federation server.
The client browser requests to sign-in from the resource federation server.
Authenticating the user
The following illustration and corresponding steps provide a description of the authentication process in AD FS. Unless it is otherwise noted, all traffic uses TLS/SSL.
The logon Web page on the resource federation server prompts the user for account partner discovery.
The resource federation server redirects the client browser to the logon Web page on the account federation server proxy.
The client browser requests the logon Web page from the account federation server proxy:
Internal DNS servers resolve the account federation server proxy URL to the CNAME of the account federation server.
Windows Integrated authentication occurs transparently.
The account federation server does the following:
Validates user credentials and gets attributes from AD DS in the corporate network forest using Lightweight Directory Access Protocol (LDAP).
Builds the security token for the resource federation server.
Builds the AD FS authentication cookie.
The account federation server redirects the Web browser to send the POST request to the resource federation server:
The resource federation server returns an HTML page that contains Java script code, which when executed by the Web browser will result in an HTTP POST of the security token to the AD FS-enabled Web server.
The AD FS authentication cookie is written to the browser.
The client browser sends a POST request to the resource federation server.
The resource federation server redirects the Web browser to send the POST request to the AD FS-enabled Web server:
The resource federation server builds the security token for the Web application.
The resource federation server builds the new AD FS authentication cookie.
The resource federation server returns an HTML page that contains Java script code, which when executed by the Web browser will result in an HTTP POST of the security token to the AD FS-enabled Web server.
The AD FS authentication cookie is written to the browser.
The Web browser sends the POST request to the AD FS-enabled Web server.
The AD FS-enabled Web server redirects the client to its application URL:
AD FS validates the security token.
The AD FS-enabled Web server builds the new AD FS authentication cookie.
The AD FS authentication cookie is written to the browser.
The client browser uses the AD FS authentication cookie to request the original application URL from the AD FS-enabled Web server.
The AD FS-enabled Web server application authorizes the user’s request based on attributes from the security token.
Note
If the resource application is an application that uses traditional Windows-based authorization such as a Windows NT token-based application, a resource account or resource group is required.
The Web browser requests additional application URLs from the AD FS-enabled Web server with its AD FS authentication cookie.
Message flow for federation through remote access
When mobile employees connect to the AD FS-enabled Web server directly, they are redirected to the default logon URL at the resource federation server. Then, they must use home realm discovery to select the account Federation Service endpoint URL. A mobile employee may then enter his credentials through a Web page that is displayed by the browser.
Client application request
The following illustration and corresponding steps provide a description of the client application request process in AD FS using TLS/SSL.
The remote employee uses the Web browser to open the application on the AD FS-enabled Web server.
The AD FS-enabled Web server refuses the request because there is no AD FS authentication cookie. The AD FS-enabled Web server redirects the client browser to sign-in on the resource federation server.
The client browser requests the logon Web page from the resource federation server.
The Web page on the resource federation server prompts the user for account partner discovery.
The resource federation server redirects the client browser to the logon Web page on the account federation server proxy.
The Web browser requests the logon Web page from the account federation server proxy.
Authenticating the user
The following illustration and corresponding steps provide a description of the user authentication process in AD FS. Unless it is otherwise noted, all traffic uses TLS/SSL.
The Web page on the account federation server proxy prompts the client for user credentials.
The account federation server proxy requests a security token from the account federation server by using Secure Hypertext Transfer Protocol (HTTPS).
The account federation server does the following:
Validates user credentials and gets attributes from AD DS in the corporate network forest using LDAP.
Builds the security token for the resource federation server.
Builds the AD FS authentication cookie.
The account federation server sends the security token and the AD FS authentication cookie to the account federation server proxy using Web methods and HTTPS.
The account federation server proxy redirects the Web browser to send the POST request to the resource federation server:
The resource federation server returns an HTML page that contains Java script code, which when executed by the Web browser will result in an HTTP POST of the security token to the AD FS-enabled Web server.
The AD FS authentication cookie is written to the browser.
The client browser sends the POST request to the resource federation server.
The resource federation server redirects the Web browser to send the POST request to the AD FS-enabled Web server:
The resource federation server returns an HTML page that contains Java script code, which when executed by the Web browser will result in an HTTP POST of the security token to the AD FS-enabled Web server.
Builds the new AD FS authentication cookie
The AD FS authentication cookie is written to the browser.
The client browser sends the POST request to the AD FS-enabled Web server.
The AD FS-enabled Web server redirects the Web browser to its application URL:
AD FS validates the security token.
Builds the new AD FS authentication cookie.
The AD FS authentication cookie is written to the browser.
The Web browser requests the original application URL for the AD FS-enabled Web server with the AD FS authentication and the AD FS-enabled Web server cookie.
The Web application authorizes the user’s request based on attributes in the security token.
Note
If the resource application is an application that uses traditional Windows-based authorization, a resource account or resource group is required.
The Web browser uses its AD FS authentication cookie to request additional application URLs from the AD FS-enabled Web server.