Configuring an Account Partner






Configuring an Account Partner

Problem

You want to configure an account partner to allow them to access applications that are managed by an ADFS Federation Service.

Solution

Using a graphical user interface
  1. Open the ADFS MMC snap-in. Navigate to Federation Service Trust Policy Partner Organizations.

  2. Right-click on Account Partners, and select New Account Partner.

  3. To create an account partner manually, click No on the Import Policy File page and click Next.

  4. On the Account Partner Details screen, enter the display name of the account partner, the Federation Service URI (such as http://www.rallencorp.com/adfs), and the Federation Service endpoint URL (such as https://www.rallencorp.com/adfs/ls/clientlogon.aspx). Click Next to continue.

  5. On the Account Partner Verification Certificate screen, browse to or manually enter the path to the verification certificate and click Next.

  6. For Federation Scenario, select one of the following:


    Federated Web SSO

    Choose this for a scenario with an external organization or one where you're not using a forest trust. To use this option, simply click Next to continue.


    Federated Web SSO with Forest Trust

    To configure this option, click Next, then select "All Active Directory domains and forests" to allow users from any domain in the organization to authenticate. To restrict the domains that can submit requests, click on "The following Active Directory domains and forests." Select the domain or forest that you want to accept logons from and click Add. Click Next to continue.

  7. On the Account Partner Identity Claims screen, select one or more of the following:


    UPN Claim

    This will take you to the Accepted UPN Suffixes page. From here you can select All UPN Suffixes, or else specify a suffix and click Add. Click Next to continue.


    E-Mail Claim

    This will take you to the Accepted E-mail Suffixes page. From here you can select All E-mail Suffixes, or specify an accepted suffix and click Add. Click Next to continue.


    Common Name Claim

    This option requires no additional configuration; simply click Next to continue.

  8. Click Next and then Finish to create the Account Partner.

The All UPN Suffixes and All E-Mail Suffixes options are only available when you are configuring a Federated Web SSO with Forest Trust.


Discussion

In an ADFS configuration, you'll configure account partners to represent the organization that houses user accounts, either in AD or ADAM, that require access to applications hosted by one or more resource partners. The ADFS Federation Server in the account partner's organization will create security tokens or claims that can be processed by the Federation Service in the resource partner and used to make authorization decisions.

You can think of an account partner as being analogous to a trusted domain or forest in an Active Directory trust relationship; however, it is not absolutely necessary for an Active Directory trust relationship to be configured for ADFS to function in this manner.


You can configure an account partner in one of two AFDS scenarios: Federated Web SSO or Federated Web SSO with Forest Trust. In the Federated Web SSO scenario, there is no need for a forest trust to exist between the account partners and resource partners; this is typically used for two separate organizations that do not wish to create a forest trust between them. The Federated Web SSO with Forest Trust scenario is more typically used within a single organization to allow secure web access via the Internet.

In the case of the Federated Web SSO with Forest Trust scenario, you can configure the account partner either to allow logon requests from any domain that is trusted by the account partner or to only accept logon requests from particular domains.


Once you've configured the ADFS scenario, you need to specify what types of claims will be sent by the account partner to the federation server hosted by the resource partner. You can send any combination of UPN, E-Mail, Common name, Group, or Custom claims. (Claims types are discussed further in Recipe 21.7.)

See Also

Recipe 21.7 for more on creating group or custom claims and Recipe 21.6 for information on configuring a resource partner



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows