Configuring an Account Partner
You want to configure an
account partner to allow them to access applications that are managed by an
ADFS Federation Service.
Using a graphical user interface
Open the ADFS MMC snap-in. Navigate to Federation Service Trust Policy Partner Organizations.
Right-click on Account Partners, and select New Account Partner.
To create an account partner manually, click No on the Import Policy File page and click Next.
On the Account Partner Details screen, enter the display name of the account partner, the Federation Service URI (such as http://www.rallencorp.com/adfs), and the Federation Service endpoint URL (such as https://www.rallencorp.com/adfs/ls/clientlogon.aspx). Click Next to continue.
On the Account Partner Verification Certificate screen, browse to or manually enter the path to the verification certificate and click Next.
For Federation Scenario, select one of the following:
Federated Web SSO
Choose this for a scenario with an external organization or one where you're not using a forest trust. To use this option, simply click Next to continue.
Federated Web SSO with Forest Trust
To configure this option, click Next, then select "All Active Directory domains and forests" to allow users from any domain in the organization to authenticate. To restrict the domains that can submit requests, click on "The following Active Directory domains and forests." Select the domain or forest that you want to accept logons from and click Add. Click Next to continue.
On the Account Partner Identity Claims screen, select one or more of the following:
This will take you to the Accepted UPN Suffixes page. From here you can select All UPN Suffixes, or else specify a suffix and click Add. Click Next to continue.
This will take you to the Accepted E-mail Suffixes page. From here you can select All E-mail Suffixes, or specify an accepted suffix and click Add. Click Next to continue.
Common Name Claim
This option requires no additional configuration; simply click Next to continue.
Click Next and then Finish to create the
The All UPN Suffixes and All E-Mail Suffixes options are only available when you are
Federated Web SSO with Forest Trust.
ADFS configuration, you'll configure account partners to represent the organization that houses user accounts, either in AD or ADAM, that require access to applications hosted by one or more resource partners. The
ADFS Federation Server in the account partner's organization will create security tokens or
claims that can be processed by the Federation Service in the resource partner and used to make authorization decisions.
You can think of an account partner as being analogous to a trusted domain or forest in an Active Directory trust relationship; however, it is not absolutely necessary for an Active Directory trust relationship to be configured for ADFS to function in this manner.
You can configure an account partner in one of two AFDS scenarios: Federated Web SSO or
Federated Web SSO with Forest Trust. In the
Federated Web SSO scenario, there is no need for a forest trust to exist between the account partners and resource partners; this is typically used for two separate organizations that do not wish to create a forest trust between them. The
Federated Web SSO with Forest Trust scenario is more typically used within a single organization to allow secure web access via the Internet.
In the case of the Federated Web SSO with Forest Trust scenario, you can configure the account partner either to allow logon requests from any domain that is trusted by the account partner or to only accept logon requests from particular domains.
Once you've configured the ADFS scenario, you need to specify what types of claims will be sent by the account partner to the federation server hosted by the resource partner. You can send any combination of UPN, E-Mail, Common name, Group, or Custom claims. (Claims types are discussed further in Recipe 21.7.)
Recipe 21.7 for more on creating group or custom claims and Recipe 21.6 for information on configuring a resource partner