Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Active Directory Federation Services (AD FS) Proxy and Web Application Proxy Integration Protocol comprise the Active Directory Federation Services and Proxy system that provides services for authentication, authorization, and access to application services located inside the boundaries of the corporate network for clients that are located outside that boundary.
AD FS is located inside the boundaries of the corporate network. It can run on one server, or multiple servers known as a farm configuration. AD FS is a collection of authentication and authorization services exposed to clients over the HTTP protocol [RFC2616]. AD FS implements a set of application authentication protocols including WS-Federation [WSFederation], SAML-P [SAMLCore2], and OAuth [RFC6749].
The Proxy is a service located at the edge of the corporate network. It provides proxy services for clients requesting access to application services inside the corporate network and orchestrates access traffic to these services. The Proxy directs all authentication traffic to the AD FS in the internal network and provisions for certificate-based authentication.
The Proxy publishes application services that are located inside the boundaries of the corporate network and makes them available for access to clients that are outside. It gates the access to the network and provides pre-authentication by orchestrating the authentication to the edge through AD FS before allowing the access to the application service. AD FS defines and implements a protocol that the Proxy supports and that allows the Proxy to orchestrate access to the network by authenticating requests to the edge.
The following diagram illustrates the various components of the system.
Figure 1: ADFSPIP System components
The following components are part of the Active Directory Federation Services and Proxy system:
AD FS: A federation services provider. In this specification this component will be referred to as the server.
Proxy: Both an authentication and an application proxy. In this specification this component will be referred to as the client.
The following components interact with the Active Directory Federation Services and Proxy system:
Client: These components refer to the type of client (for example, browser or rich client) in addition to the identity of the user and the device that is accessing a particular application service.
Firewall: A component that filters traffic flowing between the perimeter network and the internal network. In the system described, web traffic is allowed between the Proxy and the AD FS and between the Proxy and the web application.
Web Application: Any web service or application to which a client connects and that typically requires authentication for the user in the client.
This specification describes the distinct areas of interaction between the Proxy and the AD FS. A more complete understanding of AD FS and the proxy system can be gained from the following resources: [MS-ADFSOD], [MSFT-ADFSOV2] with its subsections, and [MSFT-ADFS-DeepDive].