Active Directory Federation Services (AD FS) was introduced in Windows Server 2003 R2 as version 1.0, updated for Windows Server 2008 (version 1.1), released as a standalone product in version 2.0, and then updated for Windows Server 2012 (2.1). It is used to allow single sign-on (SSO) capabilities to web applications hosted by multiple organizations without the need to configure an Active Directory trust relationship between them. This task is performed by using AD FS servers to separate the process of authentication (proving who a user is) from that of authorization (specifying what a user can do). AD FS allows this separation by configuring account partners to authenticate users and groups, and then providing claims to resource partners that control the actual access to resources.

This relationship between account partners and resource partners is called a federated trust. This verbiage can sometimes lead to confusion, since it seems to imply that AD FS requires an Active Directory trust relationship to exist between account and resource partners. In this case, the word trust merely refers to a business agreement between two organizations that have agreed to this type of distributed authentication and authorization arrangement. A federated trust refers to a scenario in which the AD FS Federation Service has been properly configured by both the organization that performs user authentication and the organization that controls ...