AD FS(Active Directory Federation Services)是微软AD的一个组件,为用户提供跨组织边界的系统和应用程序的单点登录访问(SSO: Single sign-on)。它使用基于声明的访问控制授权模型(Claims-based acces-control authorization model)来维护应用程序安全性和实现联合标识(Federated identity)。基于声明的身份验证基于一组包含用户身份的声明受信任令牌(Trusted token),令牌通常由能够对用户进行身份验证的实体颁发和签名。
A federation trust is designed to enable efficient and secure online transactions between business partners over the public Internet. ADFS uses the standards-based WS-Federation protocol and SAML (Security Assertion Markup Language), and credentials are only exposed to the user’s local ADFS server. Because of the standards-based approach, ADFS can also be used with other federation platforms, such as IBM Tivoli, Novell Access manager, and Sun Open SSO.
The SAML protocol is designed for secure Internet communication, performing lightweight and secure communications across public networks that are separated by firewalls and NAT connections, making federated trusts more suitable for sharing identity information across public networks.
Cross-forest or domain AD trusts were designed for private networks that are directly connected to one another and require a secure channel to be permanently established between the trusted entities, but also enable a wider range of scenarios, allowing clients to access apps and resources in one or more trusted forests and domains.