Provide SharePoint Single Sign-On with Active Directory Federation Services

Organizations around the world have been adopting SharePoint rapidly as their collaboration platform of choice. In fact, SharePoint usually becomes so popular that organizations quickly want to expand its use beyond the corporate firewall. That's because businesses, besides sharing information via SharePoint internally, also want to share it externally, by providing vendors, business partners, and clients access to their SharePoint sites. IT is then faced with the challenge of making these sites securely accessible from the Internet.

Figure 1. Extranet SharePoint deployment without ADFS: The figure shows a typical perimeter network setup that uses an AD forest between the internal LAN and the Internet.

Typical extranet SharePoint deployments involve deploying SharePoint in an Active Directory (AD) forest on a perimeter network, or DMZ (see Figure 1). This solution lets you use AD as your authentication provider—without the need to create accounts for external users in your internal forest. This solution does, however, create one problem. With no trust relationship between AD domains (internal and external) you will need to create user accounts in the perimeter AD forest for not only clients and vendors, but also for internal corporate users, which obviously means more administrative work for IT departments. Using this solution, you’re managing not only two sets of accounts for internal users, but also accounts from business partners.

This article explains how Microsoft addresses this issue using Active Directory Federation Services (ADFS). You will see how to deploy ADFS to provide a single sign-on experience for web applications across AD forests within your organization, as well as AD users in other organizations.

ADFS first appeared in Windows Server 2003 R2, but was somewhat cumbersome to set up and manage, and caused certain SharePoint features to function improperly. Microsoft has addressed these issues with SharePoint 2007 and Windows Server 2008, providing a much more seamless integration.

ADFS Deployment Design

Before you deploy ADFS you need to spend ample time planning how the infrastructure should be set up to meet your deployment goals. The design of your ADFS infrastructure will vary depending on those goals. In this article the goal is to provide a single sign-on experience for corporate users for the extranet SharePoint deployment. In other words, corporate users should be able to use their internal Active Directory account to log on to a SharePoint server that's set up as a member server of the perimeter Active Directory forest. To accomplish that design goal, this article used the servers shown in Figure 2.

Figure 2. Extranet SharePoint Deployment with ADFS: This figure shows the arrangement of servers you need for an extranet SharePoint deployment with ADFS.

Those servers are:

  • Active Directory Certificate Services or third-party public key infrastructure (PKI) (This is not required, but it is recommended for production deployments.)
  • Internal LAN Active Directory Forest
  • Internal LAN Account Federation Server
  • Perimeter Network Active Directory Forest
  • Perimeter Network SharePoint Server w/ADFS Enabled
  • Perimeter Network Resource Federation Server

The rest of this article shows how to set up these servers.

0 Comments  (click to add your comment)
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.