0% found this document useful (0 votes)

174 views

Active Directory Federation Services Design Guide

This guide provides recommendations to help you plan a new ADFS deployment. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.

Uploaded by

api-3754834

Available Formats

Download as DOC, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

174 views

Active Directory Federation Services Design Guide

Uploaded by

api-3754834

Available Formats

Download as DOC, PDF, TXT or read online on Scribd

You are on page 1/ 41

Active Directory Federation Services

Design Guide
Microsoft Corporation

Published: December 2005

Author: Derek Del Conte, Jack Couch

Editor: Jim Becker

Abstract
Active Directory Federation Services (ADFS) helps administrators meet federated identity
management challenges. In addition, ADFS provides users with a Web-based, single-
sign-on (SSO) experience when they access extranet Web sites or sites on the Internet
that are accessible through federation partnerships. This guide provides
recommendations to help you plan a new ADFS deployment based on the requirements
of your organization and the particular design that you want to create.
Information in this document, including URL and other Internet Web site references, is
subject to change without notice. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document
does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.

© 2005 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, SharePoint, Windows, Windows NT, and

Windows Server are either registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Contents
Active Directory Federation Services Design Guide......................................................... ..1
Abstract.................................................................................................... ...................1

Contents........................................................................................................................ .....3

Active Directory Federation Services Design Guide ........................................ ......6

About This Guide........................................................................................... .................6
See Also......................................................................................................................... .7

Gathering Requirements .................................................................... ...................7

See Also......................................................................................................................... .8

Resource Applications .................................................................................... .......8

See Also......................................................................................................................... .9

Account Stores (ADFS) ............................................................................ .............9

See Also....................................................................................................................... .10

Application Types ............................................................................. ...................10

Application User Store Requirements......................................................... ..................11
See Also................................................................................................................ ........11

Claim Definitions ................................................................................................. .11

Claims on the Account Partner............................................................ .........................13
Claim Extractions....................................................................................................... 14
Organization Claims................................................................................ ..................14
Outgoing Claim Mapping............................................................................. ..............14
Outgoing Claims............................................................................................. ...........14
Claims on the Resource Partner.......................................................................... .........14
Incoming Claims............................................................................................. ...........14
Incoming Claim Mapping............................................................................. ..............15
Organization Claims................................................................................ ..................15
Claim Transformation Module......................................................................... ..............15
See Also....................................................................................................................... .15

Certificates (ADFS) ...................................................................... .......................16

CA in Your Organization.......................................................................................... ......16
Third-Party CA............................................................................................... ...............16
Self-signed Certificates..................................................................................... ............16
Certificates Used by Federation Servers..................................................... ..............17
Token-signing Certificates....................................................................... ...............17
Verification Certificates........................................................................................ ...17
SSL Server Authentication Certificates.................................................................. .17
Certificates Used by Federation Server Proxies............................................. ...........18
Certificates Used by Web Servers..................................................................... ........18
See Also....................................................................................................................... .18

Documenting Requirements ....................................................................... .........18

Required Design Elements......................................................................... ..................19
Resource Applications............................................................................ ......................19
Account Stores................................................................................... ..........................20
Organization Claims.......................................................................... ...........................21
Claim Extractions................................................................................................ ..........21
Outgoing Claims...................................................................................... .....................22
Incoming Claims....................................................................................... ....................23
Windows NT Token–based Application Users and Groups...........................................24
See Also....................................................................................................................... .24

Mapping Requirements to the Design (ADFS) ............................... .....................25

See Also....................................................................................................................... .25

ADFS Design Elements ..................................................................................... ..25

Enable an Application for Federated User Access......................................... ...............26
Federation Resource Partner............................................................... .....................27
Extend Access to Federated Applications for Intranet Users........................................27
Extend Access to Federated Applications for Intranet and Roaming Users..................29
Configuration of DNS for the Federation Server Proxy....................................... .......30
Corporate DNS...................................................................................................... .30
Perimeter DNS........................................................................................... ............31
Certificates Used by Federation Server Proxies............................................. ...........31
SSL Client Authentication Certificates........................................................ ............32
SSL Server Authentication Certificates.................................................................. .32
Host Customer Accounts to Enable Access to Your Extranet Applications....................32
Federation Account Partner.............................................................................. .........33
See Also....................................................................................................................... .34

Designs for ADFS Deployment ....................................................................... .....34

See Also....................................................................................................................... .34

Federated Web SSO (B2B) ...................................................................... ...........34

See Also....................................................................................................................... .35
Federated Web SSO with Forest Trust (B2E) ..................................................... .36
See Also....................................................................................................................... .37

Web SSO (B2C) ..................................................................................... .............37

See Also....................................................................................................................... .38

Additional Considerations ................................................................................. ...39

Port Configurations....................................................................................... ................39
Consolidating Hardware............................................................................................... .39
Deploying ADFS Using Farms.................................................................. ....................39
Federation Server................................................................................................ ......40
Federation Server Proxy......................................................................................... ...40
Web Server................................................................................................................ 40
Resource Federation Server and Federation Server Proxy.............................. .........40
See Also....................................................................................................................... .41
6

Active Directory Federation Services

Design Guide
Active Directory Federation Services (ADFS) helps administrators meet federated identity
management challenges. It does this by making it possible for organizations to securely
share a user's identity information within an organization and across federations, without
creating and maintaining external trusts or forest trusts between those organizations.
With ADFS an administrator in an organization can control resources that users in that
organization can access — both within the organization and at partner organizations. It
also enables an administrator to configure resources that users in other organizations
can access. In addition, ADFS provides users with a Web-based, single-sign-on (SSO)
experience when they access extranet Web sites or sites on the Internet that are
accessible through federation partnerships.

For more information about how ADFS works and how to set up ADFS in a test lab, see
the following resources:

• Overview of Active Directory Federation Services (ADFS) in

Windows Server 2003 R2 on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=54650)

• ADFS Step-by-Step Guide on the Microsoft Web site

(http://go.microsoft.com/fwlink/?LinkId=49531)

About This Guide

This guide provides recommendations to help you plan a new deployment of ADFS
based on the requirements of your organization and the particular design that you want to
create. This guide is intended for use by an infrastructure specialist or system architect. It
highlights your main decision points as you plan your ADFS deployment. Before you read
this guide, you should have a good understanding of how ADFS works on a functional
level. You should also have a good understanding of the organizational requirements that
will be reflected in your ADFS design.

This guide describes a set of elements for three ADFS designs, and it helps you decide
the most appropriate design for your environment. You can use these design elements to
form one of the following comprehensive ADFS designs:

• Federated Web SSO to support business-to-business (B2B) scenarios and to

support collaboration between business units with independent forests
7
• Federated Web SSO with Forest Trust to support business-to-employee
(B2E) scenarios

• Web SSO to support customer access to applications in business-to-

consumer (B2C) scenarios

For each design, you will find guidelines for gathering required data about your
environment that you can use to plan and design your ADFS deployment. After you read
this guide and finish gathering, documenting, and mapping your organization's
requirements, you will have the information necessary to begin deploying ADFS.

Mapping Requirements to the Design (ADFS)

Additional Considerations

Gathering Requirements
The first step in designing an Active Directory Federation Services (ADFS) deployment is
gathering the requirements for your design. To do this, first determine the following:

• The type of functionality that your scenario requires, which determines the
design elements that your organization selects

• If your organization will use ADFS to secure an application, determine:

• The claims that the application requires

• The type of security token that the application requires

• If your organization has accounts in a user store that need access to an

application that is secured by ADFS, determine:

• The type of account store

• The claims that will be generated from the account store

• The location (intranet or Internet or both) from which users will

access the application
8
• The set of claims that will be used by your organization, along with the
mappings of these claims to account partners or other partner organizations. For
more information, see Claim Definitions.

• The certificates that will be used for token signing, server authentication
(through Secure Sockets Layer (SSL)), and client authentication (through the
federation server proxy). For more information about the role of certificates in an
ADFS deployment, see Certificates (ADFS).

For more information about the types of applications that ADFS supports, see Application
Types.

For more information about requirements for resource applications and account stores in
an ADFS deployment, see Resource Applications and Account Stores (ADFS).
The next step in designing an ADFS deployment is documenting all the requirements. For
more information, see Documenting Requirements, which provides tables that you can
use to document your requirements.

• Enable an Application for Federated User Access. In this option, your

organization uses ADFS to secure an application in your perimeter network for
access by your own organization or by your federation partners. For more
information, see "Enable an Application for Federated User Access" in ADFS
Design Elements.

• Federation Resource Partner: In this option, a federation partner hosts the

application that users in your organization may access. Your organization is not
required to configure any applications. For more information, see "Federation
Resource Partner" in ADFS Design Elements.

Depending on the requirements of your organization, you can also combine these two
options to complete the design of your ADFS deployment. For example, users from your
9
organization may access applications that you host, as well as applications that your
partners host.

See Also
ADFS Design Elements

Account Stores (ADFS)

Active Directory Federation Services (ADFS) requires an account store to authenticate
users. The account store also generates a claim set so that applications can make
authorization decisions. In most cases the account store that ADFS will use has already
been deployed and is populated with users.

The location of the user account store and the location from which users authenticate
determine how you design ADFS to support the user identities. ADFS can use either
Active Directory or Active Directory Application Mode (ADAM) as an account store.
Depending on where the account store is located and where users will access the
application from (in an intranet or on the Internet), the following options are available for
the location of the account store:

• Extend Access to Federated Applications for Intranet Users: Your

organization’s users access an ADFS-secured application (either your own
application or a partner’s application) when the users are logged on to the
corporate intranet. For more information, see "Extend Access to Federated
Applications for Intranet Users" in ADFS Design Elements.

• Extend Access to Federated Applications for Intranet and Roaming Users:

Your organization’s users access an ADFS-secured application (either your own
application or a partner’s application) when the users are logged on to the
corporate intranet and when they log on from the Internet. For more information,
see "Extend Access to Federated Applications for Intranet and Roaming Users" in
ADFS Design Elements.

• Host Customer Accounts to Enable Access to Your Extranet Applications:

Your organization hosts external user accounts that must access an ADFS-
secured application at your organization. For more information, see "Host
Customer Accounts to Enable Access to Your Extranet Applications" in ADFS
Design Elements.
10
• Federation Account Partner: Users from a federation partner access one of
your applications. Your organization is not required to configure any account
stores. For more information, see "Federation Account Partner" in ADFS Design
Elements.

Depending on the requirements of your organization, you can combine several of these
account store options to complete the design of your ADFS deployment.

ADFS Design Elements

Application Types
As part of the process of designing your deployment, determine the full set of Web
applications that will be secured by Active Directory Federation Services (ADFS). All
applications that are secured by Windows Server 2003 R2 ADFS Web Agents must be
running under Internet Information Services (IIS) 6.0. Note that several non-Microsoft
Web agents are available that enable the use of applications running on platforms other
than IIS 6.0. When you use the ADFS Web Agents, each application must be at least one
of the following application types:

• Claims-aware application

• Windows NT token–based application

Claims-aware applications are Microsoft ASP.NET 2.0 applications that are written to
allow the querying of ADFS security token claims. After an application is presented with a
valid token, the claims-aware application can make authorization decisions based on the
claims in the token.

Windows NT token–based applications use Windows-based authorization mechanisms.

Applications that require Windows NT security tokens to make authorization decisions are
in this category. ADFS can make the transition of the ADFS security token to an
impersonation-level Windows access token.

To determine which category each application falls into, follow these guidelines:

• Applications that are protected by Integrated Windows authentication can —

in some cases — be enabled as Windows NT token–based applications.
11
• Applications that are claims aware have been developed specifically to use
the claims that are produced by ADFS.

Application User Store Requirements

Windows NT token–based applications require the presence of an Active Directory local
user store to generate a user context for the application. Claims in incoming ADFS tokens
can be mapped into either user accounts or groups within this local user store. The user
accounts or groups are then used by the application to perform authentication.

Claims-aware applications do not require a local user store. All information about a given
identity is contained in the token that is presented by the application. The application may
store additional information that links to the identity that is presented in the token, but a
user account in Active Directory is not required.

• Group: This claim type indicates membership in a group or role. For

example, you might define the following set of group claims: [Developer, Tester,
Program Manager]. Each group claim is a separate unit of administration for
claim population and mapping. It is useful to think of the value of a group claim
as a Boolean value indicating membership.

• Custom: This claim type is a name value pair. For example, a custom claim
may indicate that a user’s employee ID number is 1234.

In ADFS, there are several groupings of claims:

12
• Organization claims: These are claims that serve as the normalized set of
claims within an organization. All internal Federation Service actions are
performed on the organization claim set.

• Incoming claims: These are claims that a specific account partner sends to
your organization.

• Outgoing claims: These are claims that your organization sends to a specific
resource partner.

When you design an ADFS deployment, you must understand how the claims will be
extracted from the account store into the organization claim set, transformed at both the
account federation server and the resource federation server, and then ultimately
presented to the Web application. You can use the tables in Documenting Requirements
to define the claims that will be used by your federation servers.

The flow of claims through an ADFS deployment is illustrated in the following figure.
13

The following sections describe the flow of claims in this figure.

Claims on the Account Partner

An account partner issues tokens containing claims to its users. The claims are built from
the account store so that users can access Web-based applications in the resource
partner.

This section describes claims on the account partner. It refers to the top of the previous
figure.
14

Claim Extractions
Claim extractions are used to map a user or group in an account store to an organization
claim. The account store can be Active Directory or Active Directory Application Mode
(ADAM). A claim extraction is represented in the previous figure by the "Claims are
populated" arrow.

Organization Claims
Organization claims are used by the federation server — in this case, the account
federation server. Claims passing through a federation server are mapped into and out of
the organization claim set. These claims are then transformed, or mapped, into outgoing
claims. This is the core set of claims that the organization uses to map into and out of.

Outgoing Claim Mapping

Outgoing claim mappings are used to map an organization claim to an outgoing claim.
The claim names that you configure here are determined by an agreement with your
partner on a common namespace.

Outgoing Claims
Outgoing claims are included in the security token of a user. They are generated by the
account partner and destined for the resource partner. Organization claims on the
federation server of the account partner are mapped to outgoing claims that are then sent
to the resource federation server.

Claims on the Resource Partner

A resource partner receives a token containing claims, validates that the token came from
a trusted partner, and makes the claims available to a Web-based application for
authorization purposes.

This section describes claims on the resource partner. It refers to the bottom of the
previous figure.

Incoming Claims
Incoming claims are received by the resource partner. They were generated by the
account federation server as outgoing claims. The claim names that you configure here
are determined by an agreement with your partner on a common namespace.
15

Incoming Claim Mapping

Incoming claim mappings are used to map an incoming claim to an organization claim.

Organization Claims
The resource federation server transforms, or maps, incoming claims to organization
claims. Organization claims are used by the federation server — in this case, the
resource federation server. This is the core set of claims that the organization uses to
map into and out of.

Claim Transformation Module

You can use the ADFS user interface (UI) on your federation servers to map claim names
between the various transitions that are highlighted in the previous figure. You can use
this UI to change the name of a claim during the mapping; for example, Administrators
may become Admins. This way, you can share claims with partners and express claims in
a common namespace that does not necessarily match the way that you have defined
your own organization claims.

There may be cases, though, in which simple mapping of claims may not be sufficient for
your scenario. In this case you may develop a claim transformation module that can
modify claim names and values as they pass through the federation server. For example,
the claim transformation module might convert a claim containing a monetary value into
another currency based on an exchange rate. Or, the module might look into a sales
database and determine the discount level for a partner.

If you determine that building a claim transformation module is necessary for your
scenario, see the ADFS software development kit (SDK) on the MSDN Web site for
additional information about how the claim transformation module functions. To find the
ADFS SDK, search for "ADFS SDK" on the MSDN Home page
(http://go.microsoft.com/fwlink/?LinkId=16188).

• A certification authority (CA) that is deployed in your organization

• A third-party CA

• Self-signed certificates

Each certificate source has advantages and disadvantages that are described in the
following sections.

CA in Your Organization
When you implement a CA in your organization, you provide an infrastructure for
certificate life-cycle management, renewal, trust management, and revocation. These
qualities provide a more robust infrastructure for all the certificates in your organization,
at the cost of having to deploy additional infrastructure.

Third-Party CA
Certificates that are generated by a third-party CA have many of the benefits of the
previous option. However, third-party certificates must be purchased. Of the certificates
that are used in an ADFS deployment, the server authentication certificates that are used
by the various ADFS components are frequently third-party certificates so that client
browsers are already configured to trust the certificates.

Self-signed Certificates
Self-signed certificates do not require the presence a CA. These certificates must be
configured explicitly in certain locations on the server as trusted certificates. Establishing
an infrastructure for certificate life-cycle management, renewal, trust management, and
revocation is more difficult with self-signed certificates.

The various types of certificates that are used by ADFS can come from a variety of these
three sources. For example, you may find that your server authentication certificates are
obtained from a third-party CA, but your token-signing certificate is obtained from your
organization’s CA.
17
For more information about certificates, see Public Key Infrastructure for
Windows Server 2003 on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=19936).

Certificates Used by Federation Servers

The following sections describe the types of certificates that federation servers use.

Token-signing Certificates
Each federation server uses a token-signing certificate (both private key and public key)
to digitally sign all security tokens that it produces. Because each security token is
digitally signed by the account partner, the resource partner can verify that the security
token was in fact issued by the account partner and that it was not modified. This
prevents attackers from forging or modifying security tokens to gain unauthorized access
to resources.

Digital signatures on security tokens are also used in the account partner when there is
more than one federation server (for example, in a farm deployment). In this case the
digital signatures verify the origin and integrity of the security tokens that are issued by
other federation servers in the account partner. The digital signatures are verified with
verification certificates.

Verification Certificates
Verification certificates verify that a security token was issued by a valid federation server
and that it was not modified. Verification certificates are the public-key portion of your
own token-signing certificate, as well as the certificates of other federation servers that
you trust.
To verify that a security token was issued by a given federation server and not modified,
the federation server must have a verification certificate for the federation server that
issued the security token. For example, if federation server A issues a security token and
sends the security token to federation server B, federation server B must have a
verification certificate for federation server A.

SSL Server Authentication Certificates

The federation server uses Secure Sockets Layer (SSL) server authentication certificates
to secure Web services traffic for communication with Web clients or with the federation
server proxy. You can request and install these certificates through the Microsoft
18
Management Console (MMC) snap-in for Internet Information Services (IIS). Third-party
certificates are recommended for SSL server authentication certificates.

Certificates Used by Federation Server Proxies

For information about certificates that are used by federation server proxies, see
“Certificates Used by Federation Server Proxies” in ADFS Design Elements.

Certificates Used by Web Servers

Each Web server that hosts the ADFS Web Agent uses SSL server authentication
certificates to communicate securely with Web clients. Third-party certificates are
recommended for SSL server authentication certificates.

For more information about how certificates are configured for farms, See "Deploying
ADFS Using Farms" in Additional Considerations.

See Also
ADFS Design Elements

Additional Considerations

Documenting Requirements
You can use the following tables to document your Active Directory Federation Service
(ADFS) design requirements. Make sure that the role your organization plays in the
federation agreement is clearly understood by all parties:

• If your organization is a resource provider, determine the application types

and the organization claims for the organization, as well as the incoming claims
for each account partner. In addition, if the resource that you are providing is a
Windows NT token–based application, determine the resource accounts and
groups (also known as shadow accounts or proxy groups) that will be mapped to.

• If your organization is an account or identity provider, determine the account

stores and the claim extractions for the organizations, as well as the outgoing
claims for each resource partner.

• If your organization is both an account provider and a resource provider,

document the requirements in the tables in all the following sections.
19

Required Design Elements

Understanding the ADFS functionality that you want to enable will help you select the
appropriate design elements for your deployment. For each of the following areas of
functionality, specify whether or not your scenario requires them.

Functionality Yes/No

Enable an application for federated user

access

Extend access to federated applications for

intranet users

Extend access to federated applications for

intranet and roaming users

Host customer accounts to enable access

to your extranet applications

The following table is an example of documented design element requirements.

Functionality Yes/No

Enable an application for federated user Yes

access

Extend access to federated applications for Yes

intranet users

Extend access to federated applications for No

intranet and roaming users

Host customer accounts to enable access No

to your extranet applications

Resource Applications
If your organization is hosting an application or multiple applications, use the following
table to document the applications and application types that will be part of your ADFS
deployment.
20

Application name Application type

The following table is an example of documented resource application requirements.

Application name Application type

Purchasing Portal Windows NT token–based

Ordering Application Claims-aware

Sales Reports Application Windows NT token–based

Account Stores
If your organization is hosting account stores, use the following table to document the
account stores that will be used to access the applications.

Account store Account store type (internal, partner,

hosted)

The following table is an example of documented account store requirements.

Account store Account store type (internal, partner,

hosted)

Corporate Active Directory Internal account store (intranet access)

Trey Research Employees Federation account partner

Account store Account store type (internal, partner,

hosted)

Consolidated Messenger Customers Hosted account store

Organization Claims
Organization claims are the normalized set of claims on the federation server. Use the
following table to document the organization claims and claim types on your federation
server.

Organization claim Claim type (identity, group, custom)

The following table is an example of documented organization claim requirements.

Organization claim Claim type (identity, group, custom)

Administrators Group

Purchasers Group

Power Purchaser Group

PurchaseLimit Custom

EmployeeID Custom

Claim Extractions
Claim extractions map a user or group in an account store to an organization claim. The
account store can be Active Directory or Active Directory Application Mode (ADAM). If
your organization is an account partner, use the following table to document the
Active Directory users or groups for claim extractions and their corresponding
organization claims.
22

Active Directory user or group Organization claim

The following table is an example of documented claim extraction requirements.

Active Directory user or group Organization claim

Purchase Administrators Administrators (Group)

Sales Managers (Group) Purchasers (Group)

EmployeeID (Attribute) EmployeeID (Custom)

John Smith (User) Power Purchaser (Group)

Outgoing Claims
Organization claims on the federation server of the account partner are mapped to
outgoing claims that are sent to the resource federation server. If your organization is an
account partner, use the following table to document the organization claims and their
corresponding outgoing claims.

Organization claim Outgoing claim

Note
Organization claims and outgoing claims can have the same names if it is not
necessary for the claim names to be different.
23
The following table is an example of documented outgoing claim requirements.

Organization claim Outgoing claim

Administrators Admins

Purchasers Allowed Purchasers

Power Purchaser Power Purchaser

PurchaseLimit PurchaseLimit

EmployeeID EmployeeID

Incoming Claims
Incoming claims are received by the resource federation server from the account
federation server. When incoming claims are received by the resource federation server,
they are mapped to organization claims on the resource federation server. If your
organization is a resource partner, use the following table to document the incoming
claims and their corresponding organization claims.

Incoming claim Organization claim

The following table is an example of documented incoming claim requirements.

Incoming claim Organization claim

Admins Purchase Admins

Allowed Purchasers Allowed Purchasers

Power Purchaser Power Purchaser

PurchaseLimit PurchaseLimit

EmployeeID Employee Identity

Note
Incoming claims and organization claims can have the same names if it is not
necessary for the claim names to be different. For more information about
enabling advanced transformations, see "Claim Transformation Module" in Claim
Definitions.

Windows NT Token–based Application Users

and Groups
When the resource application is a Windows NT token–based application, the
organization claims on the resource federation server must be mapped to either a user or
a group in Active Directory. If your organization is a resource partner that hosts a
Windows NT token–based application, use the following table to document the
organization claims and the Active Directory users or groups that the claims must map to.

Organization claim Active Directory user or group

The following table is an example of documented requirements for users or groups that
use a Windows NT token–based application.

Organization claim Active Directory user or group

Purchase Admins (group) Purchase Admins (group)

Allowed Purchasers (group) Purchasers (group)

Power Purchaser (group) Power Purchaser (user)

See Also
Gathering Requirements
25
Claim Definitions

Mapping Requirements to the Design

(ADFS)
After you finish gathering requirements and documenting them, you can map the
requirements to an Active Directory Federation Services (ADFS) design. Select the
appropriate ADFS design elements that are described in ADFS Design Elements, and
then combine them to form a full ADFS design that meets your specific requirements.
For examples of full designs that apply to common ADFS deployment scenarios, see
Designs for ADFS Deployment.

See Also
ADFS Design Elements

Designs for ADFS Deployment

ADFS Design Elements

The following descriptions of Active Directory Federation Services (ADFS) design
elements illustrate the various ways that you can federate identities and enable single
sign-on (SSO), depending on your environment. By combining the design elements that
are described in the following sections, you can build an ADFS design that suits your
environment and enables the functionality that you need.

Note that these design elements show logical ADFS servers. They do not provide precise
guidance about where to locate physical servers within a proposed network environment.
For example, you may want to place certain ADFS components on protected networks to
further isolate them from the Internet. Also, to increase reliability and scalability,
federation servers, federation server proxies, and Web servers can be deployed as single
computers or as server farms. For more information, see "Deploying ADFS Using Farms"
in Additional Considerations.

In addition, federation servers are depicted in the following sections as functioning either
in an account role or in a resource role. The federation server component may function in
either role; the role is determined by the configuration of the trust policy.
26

Enable an Application for Federated User

Access
When you enable an application for federated user access, users both at your
organization and at organizations that have configured a federation trust to your
organization can access the ADFS-secured application that is hosted by your
organization, as illustrated in the following figure.

The following components are required for this design element:

• Active Directory: The Active Directory functional level may be set to either
Windows 2000 mixed, Windows 2000 native or Windows Server 2003. A domain
is required for the resource federation server. If Windows NT token–based
applications are supported, the domain also serves as the store that contains the
resource accounts. Claims-aware applications do not require local accounts in
Active Directory.

• Perimeter Domain Name System (DNS): This implementation of DNS

contains a simple address (A) record so that clients can locate the resource
federation server. It may host other DNS records that are also required in the
perimeter network.
27
• Resource federation server: This ADFS component validates ADFS tokens
that are sent from partners. Account partner discovery is performed through this
federation server.

• Web server: You must have Internet Information Services (IIS) 6.0 and either
the ADFS Web Agent for claims-aware applications, the ADFS Web Agent for
Windows NT token–based applications, or both installed on the Web server. This
Web server may also be using a compatible non-Microsoft Web agent for other
application platforms. The ADFS Web Agent confirms that it has received a valid
ADFS token before it allows access to the protected Web site.

Federation Resource Partner

In some scenarios, the design element outlined in the previous section will be made
available by a partner. While the federation resource partner is not an aspect of the ADFS
design that you undertake at your organization, it represents the availability of a resource
application at a partner with whom you have established a trust. The resource partner
may be running an ADFS deployment similar to the one that is described in the previous
section, "Enable an Application for Federated User Access."

Extend Access to Federated Applications for

Intranet Users
When you extend access to federated applications for intranet users:

• Users who are logged on to the corporate intranet (the Active Directory
domain) can access ADFS-secured applications at your own organization or at
partner organizations.

• Information in the Active Directory account store can be populated into users’
ADFS tokens.

The following figure illustrates this design element.

The following components are required for this design element:

• Active Directory: The Active Directory functional level may be set to either
Windows 2000 mixed, Windows 2000 native, or Windows Server 2003.
Active Directory or an instance of Active Directory Application Mode (ADAM) (not
depicted) may contain the identities that will be used to generate ADFS tokens.
Information such as groups and attributes will be populated into ADFS tokens as
group claims and custom claims.

• Corporate DNS: This implementation of DNS contains a simple A record so

that intranet clients can locate the account federation server. It may host other
DNS records that are also required in the corporate network.

• Account federation server: This ADFS component is joined to the corporate

domain, and it authenticates users and generates ADFS tokens. The intranet
client performs Integrated Windows authentication against the account federation
server to generate an ADFS token.

The following users can be authenticated:

• Users in this domain

• Users in this forest

• Users in forests that are trusted for authentication by this forest

29
• Intranet client: The intranet client accesses an ADFS-secured Web
application through a supported Web browser.

Extend Access to Federated Applications for

Intranet and Roaming Users
This design element builds on the functionality of the previous design element that
extends access to federated applications for intranet users, and it adds the following
functionality: users on the Internet can generate tokens to access ADFS-secured
applications at your own organization or at partner organizations. For example, an
organization may want employees to have access to ADFS applications while using the
Internet from home or on the road without requiring virtual private network (VPN) access.

The following figure illustrates this design element.

In addition to the components in the design element that extends access to federated
applications for intranet users (which are shaded in this figure), the following components
are added:

• Perimeter DNS: This implementation of DNS serves the host names for the
perimeter network (also known as demilitarized zone (DMZ), extranet, and
screened subnet). See the following section, "Configuration of DNS for the
30
Federation Server Proxy," for additional information about how to configure DNS
for this component.

• Account federation server proxy: This ADFS component allows users on the
Internet to perform authentication. By default, this component performs forms
authentication with fallback to basic authentication. You may also configure this
component to perform SSL client authentication if users at your organization
have certificates to present.

• Internet client: The Internet client accesses an ADFS-secured Web

application through a supported Web browser.

Client systems on the corporate network communicate directly with the federation server.
Clients that are connected to the Internet communicate with the account federation server
proxy.

Configuration of DNS for the Federation Server Proxy

In the previous figure for the design element that extends access to federated
applications for intranet users, the DNS server that is labeled Corporate DNS hosts the
example DNS domain corp.adatum.com. The DNS server that is labeled Perimeter DNS
hosts the example DNS domain adatum.com. The Perimeter DNS server is configured
with root hints to the top-level DNS servers on the Internet for external name resolution.

Corporate DNS
Hosts that are connected to the corporate network have host names in the
corp.adatum.com DNS domain that is hosted by the Corporate DNS server. The
Active Directory account store on the corporate network uses the corp.adatum.com DNS
domain that is hosted by the Corporate DNS server to store service records that are
necessary for Active Directory to function properly. The account federation server's fully
qualified domain name (FQDN) is fs.corp.adatum.com. This FQDN is stored on
Corporate DNS.

The following table lists the ADFS-related FQDNs that are stored by the Corporate DNS
server.

FQDN IP address

fs.corp.adatum.com. Account federation server IP address

Note
Corporate DNS also contains other host and service records for clients,
Active Directory, and any other name resolution needs on the corporate network.

Perimeter DNS
When clients on the Internet access an ADFS-secured application, they must
authenticate to the federation server. The federation server is not accessible on the
Internet; therefore, the clients must be directed to the federation server proxy instead.
Because there is only a single endpoint that clients are directed to whether they are on
the intranet or Internet, clients on the Internet that use the Perimeter DNS server must
resolve the host name for the account federation server (fs.corp.adatum.com) to the IP
address of the account federation server proxy on the perimeter network. To forward
clients on to the account federation server proxy when they attempt to resolve
fs.corp.adatum.com, Perimeter DNS contains a limited corp.adatum.com DNS domain
with a single A record for fs (fs.corp.adatum.com) and the IP address of the account
federation server proxy on the perimeter network.

The following table lists the ADFS-related FQDNs that are stored by the Perimeter DNS
server.

FQDN IP address

fs.corp.adatum.com. Account federation server proxy IP address

on the perimeter network

Because Perimeter DNS is configured to resolve all requests for fs.corp.adatum.com to

the account federation server proxy, the account federation server proxy is configured
with an entry in its local hosts file to resolve fs.corp.adatum.com to the IP address of the
actual account federation server that is connected to the corporate network. This enables
the account federation server proxy to resolve the host name fs.corp.adatum.com to the
actual account federation server rather than to itself — as would occur if it attempted to
look up fs.corp.adatum.com using Perimeter DNS — so that it may communicate with the
federation server.

Certificates Used by Federation Server Proxies

The following sections describe the types of certificates that federation server proxies
use.
32
SSL Client Authentication Certificates
Each federation server proxy uses an SSL client authentication certificate to authenticate
to the Federation Service. Any certificate with client authentication extended key usage
(EKU) can be used as a client authentication certificate for the federation server proxy. A
copy of the client authentication certificate for the federation server proxy is stored on
both the federation server proxy and in the trust policy of the federation server. However,
only the federation server proxy stores the private key that is associated with the client
authentication certificate for the federation server proxy.

SSL Server Authentication Certificates

The federation server proxy uses SSL server authentication certificates to secure Web
services traffic for communication with Web clients. You can request and install these
certificates through the IIS snap-in. Third-party certificates are recommended for SSL
server authentication certificates.

Host Customer Accounts to Enable Access to

Your Extranet Applications
When you host customer accounts to enable access to your extranet applications,
external users that you host in an account store can access an application in the
perimeter network, as illustrated in the following figure.
33

Note how this design element builds on the design element that enables an application
for federated user access, which is described in a previous section. There is one
important distinction, however: the federation server is now serving in both the account
role and the resource role. The federation server is serving both an application and an
account store — in this case, ADAM — that contains the user identities.

Federation Account Partner

While the federation account partner is not a deployment that you undertake at your
organization, it represents the availability of accounts at a partner with whom you have
established a trust. The account partner may be running a deployment such as those that
are described in the previous sections "Extend Access to Federated Applications for
Intranet Users" or "Extend Access to Federated Applications for Intranet and Roaming
Users."
34

Designs for ADFS Deployment

The Active Directory Federation Services (ADFS) design elements each enable a piece
of ADFS functionality. In some scenarios they are deployed alone, but frequently they are
deployed in combination. For example, if you have a resource application in the design
element that enables an application for federated user access, your own users may also
need access to it. Therefore, you may add the design element that extends access to
federated applications for intranet and roaming users to your ADFS design. By combining
the design elements this way, you can design comprehensive, end-to-end ADFS
deployments.

Note that the designs in the following sections represent some common ADFS
deployment scenarios. Your organization may require a combination of many or all of the
ADFS design elements to design a comprehensive deployment scenario that meets your
organization's particular requirements.

Federated Web SSO with Forest Trust (B2E)

Web SSO (B2C)

Federated Web SSO (B2B)

The Federated Web Single-Sign-On (SSO) design in Active Directory Federation
Services (ADFS) involves secure communication that spans multiple firewalls, perimeter
networks, and name resolution servers — in addition to the entire Internet routing
infrastructure. You can design it by using the ADFS design elements that are described in
ADFS Design Elements.

As illustrated in the following figure, you can establish a federation trust relationship
between two businesses, which results in an end-to-end federation scenario.
35

In this design there are two separate organizations that each deploys a combination of
the ADFS design elements. Assuming that A. Datum Corporation is the identity or
account provider, the A. Datum part of the Federated Web SSO design contains the
following ADFS design elements:

• Extend Access to Federated Applications for Intranet and Roaming Users

• Federation Resource Partner

Assuming that Trey Research is the resource provider, the Trey Research part of the
Federated Web SSO design contains the following ADFS design elements:

• Federation Account Partner

• Enable an Application for Federated User Access

Federated Web SSO with Forest Trust

(B2E)
The Federated Web Single-Sign-On (SSO) with Forest Trust design in Active Directory
Federation Services (ADFS) combines two Active Directory forests in a single
organization, as illustrated in the following figure.

In this design, ADFS design elements that provide the following functionality are
combined in the single A. Datum Corporation organization:

• Extend Access to Federated Applications for Intranet and Roaming Users

• Enable an Application for Federated User Access

37
In this design, users in an organization can access an application in the perimeter
network (also known as demilitarized zone (DMZ), extranet, and screened subnet) from
both the intranet and the Internet by using their corporate domain credentials. Because a
trust exists between the perimeter network and the corporate network, user accounts that
are in the corporate network may be used for accessing the application, which eliminates
the need for resource accounts or proxy groups. A Windows NT token–based application
requires that a user or group exists so that the ADFS token can be mapped into it, but
using the corporate Active Directory enables you to deploy the application without user
accounts in the perimeter network.

Note
If a trust is not in place between the corporate network and the perimeter network
and the application in the perimeter network is a Windows NT token–based
application, resource accounts or groups must be used in the perimeter network.

See Also
ADFS Design Elements

Web SSO (B2C)

The Web Single-Sign-On (SSO) design in Active Directory Federation Services (ADFS)
features customer access to applications over the Internet, as illustrated in the following
figure.
38

In this deployment an organization that typically hosts a Web-based resource application

in a perimeter network (also known as demilitarized zone (DMZ), extranet, and screened
subnet) can maintain a separate store of customer accounts in the perimeter network,
which enables better isolation of customer accounts and employee accounts. The
resource provider manages local accounts for the external users in the perimeter network
in either Active Directory or Active Directory Application Mode (ADAM).

This design consists of the ADFS design element that hosts customer accounts to enable
access to your extranet applications.

Deploying ADFS Using Farms

To improve reliability and scalability, ADFS components may be placed behind a Network
Load Balancing (NLB) infrastructure. The following sections describe some
considerations for scaling out an ADFS deployment using NLB.
40

Federation Server
You can set up a federation server farm by sharing a trust policy — along with token-
signing certificates — among a set of federation servers. When you build out a farm, the
trust policy must be available to each federation server in the farm. The recommended
deployment uses a network-accessible share to which the federation servers have
Read/Write access, for example, by using Distributed File System (DFS).

Besides the trust policy file, federation servers must share token-signing certificates.
Server authentication certificates should be configured so that all federation servers use
the same certificate.

Federation Server Proxy

Configure the federation server proxies so that they all point to the same federation
server. Depending on how you create the client authentication certificate for the
federation server proxy, export the private key and install it as the client authentication
certificate on each federation server proxy.

Server authentication certificates should be configured so that all federation server

proxies use the same certificate.

Web Server
Configure the Web server agents (for either claims-aware applications or Windows NT
token–based applications) on each Web server to point to the same federation server.

Server authentication certificates should be configured so that all Web servers use the
same certificate.

Resource Federation Server and Federation Server Proxy

A federation server proxy may be deployed in front of a federation server acting in the
resource role. This design adds additional security layers to your deployment. This design
is exactly the same as an ADFS proxy component that is deployed for an account
federation server, except that the federation server proxy performs home realm discovery
instead of client authentication. The federation server proxy displays a user interface (UI)
for the client and acts as the endpoint for client requests. As requests are received, the
federation server proxy calls into the federation server for token validation and
generation. The federation server proxy component can also reduce the number of
certificates because it can be installed on the Web server. In this configuration, the Web
server's server authentication certificate can be used for both the Web site and the
federation server proxy.
41
Instead of running a federation server proxy in front of the federation server, you may
also place the federation server directly on a perimeter network (also known as
demilitarized zone (DMZ), extranet, or screened subnet). The federation server is a
superset of the federation server proxy, and it can handle the requests that are sent to it
by the clients.

See Also
ADFS Design Elements

Professor Messer - Professor Messer's SY0-701 COMPTIA Security+ Course Notes - Libgen - Li
100% (20)
Professor Messer - Professor Messer's SY0-701 COMPTIA Security+ Course Notes - Libgen - Li
107 pages
BABOK 3 ONLINE - A Guide To The Business Analysis Body of Knowledge
98% (66)
BABOK 3 ONLINE - A Guide To The Business Analysis Body of Knowledge
514 pages
Hourly Billing Is Nuts
No ratings yet
Hourly Billing Is Nuts
114 pages
main_powershell-active-directory-cheat-sheet
No ratings yet
main_powershell-active-directory-cheat-sheet
2 pages
CySA+ CS0-002 Cheat Sheet
100% (3)
CySA+ CS0-002 Cheat Sheet
31 pages
CompTIA+Security++ (SY0 701) +Study+Guide
No ratings yet
CompTIA+Security++ (SY0 701) +Study+Guide
413 pages
Office 365 Deployment Guide
100% (1)
Office 365 Deployment Guide
194 pages
Strategic Monoliths and Microservices Driving Innovation Using Purposeful Architecture 18.11.2021.
67% (3)
Strategic Monoliths and Microservices Driving Innovation Using Purposeful Architecture 18.11.2021.
458 pages
CompTIA CySA+ Cybersecurity Analyst Certification Practice Exams (Exam CS0-001)
100% (1)
CompTIA CySA+ Cybersecurity Analyst Certification Practice Exams (Exam CS0-001)
337 pages
How To Hack Like A LEGEND
100% (5)
How To Hack Like A LEGEND
173 pages
Workbench PDF
No ratings yet
Workbench PDF
164 pages
CompTIA Storage+
No ratings yet
CompTIA Storage+
2 pages
The Blueprint To Government Contracting
75% (4)
The Blueprint To Government Contracting
16 pages
CSCI262 Autumn2013 Workshops Lab 5 PDF
No ratings yet
CSCI262 Autumn2013 Workshops Lab 5 PDF
7 pages
Lab #1: Assessment Worksheet
No ratings yet
Lab #1: Assessment Worksheet
5 pages
Microsoft Dynamics CRM 2013 System Requirements Document
No ratings yet
Microsoft Dynamics CRM 2013 System Requirements Document
155 pages
BPOS Standard Deployment Guide February2010 PDF
No ratings yet
BPOS Standard Deployment Guide February2010 PDF
100 pages
MS AX Installation Guide
100% (1)
MS AX Installation Guide
153 pages
WDSguide
No ratings yet
WDSguide
202 pages
Microsoft Dynamics CRM IG Installing
No ratings yet
Microsoft Dynamics CRM IG Installing
125 pages
[Oracle Guideline]- using-product-development
No ratings yet
[Oracle Guideline]- using-product-development
128 pages
fscm91fare-b1109 - Copy
No ratings yet
fscm91fare-b1109 - Copy
1,400 pages
ADFS Step by Step Guide
No ratings yet
ADFS Step by Step Guide
95 pages
Microsoft Deployment Toolkit 2010: Troubleshooting Reference
No ratings yet
Microsoft Deployment Toolkit 2010: Troubleshooting Reference
71 pages
ADFS Operations Guide
No ratings yet
ADFS Operations Guide
224 pages
Deployment and Operations Guide
No ratings yet
Deployment and Operations Guide
38 pages
Microsoft Dynamics CRM Onlne Office 365 Integration
No ratings yet
Microsoft Dynamics CRM Onlne Office 365 Integration
60 pages
Ts Install Admin Guide
No ratings yet
Ts Install Admin Guide
114 pages
Microsoft Reference Architecture for Commerce Version 2 0 Pro Other 1st Edition Microsoft Corporation pdf download
100% (1)
Microsoft Reference Architecture for Commerce Version 2 0 Pro Other 1st Edition Microsoft Corporation pdf download
53 pages
Tutorial Rational Rose
No ratings yet
Tutorial Rational Rose
148 pages
Sun Directory Server Enterprise Edition 7.0 Release Notes: Part No: 820-4805 November 2009
No ratings yet
Sun Directory Server Enterprise Edition 7.0 Release Notes: Part No: 820-4805 November 2009
90 pages
Infrastructure Planning and Design: Windows Optimized Desktop Scenarios Assessment
100% (2)
Infrastructure Planning and Design: Windows Optimized Desktop Scenarios Assessment
38 pages
Gsdbe
No ratings yet
Gsdbe
112 pages
Reqpro User Manual
No ratings yet
Reqpro User Manual
334 pages
Working with Microsoft Visual Studio 2005 Team System 1st Edition Richard Hundhausen download
No ratings yet
Working with Microsoft Visual Studio 2005 Team System 1st Edition Richard Hundhausen download
83 pages
Manual Dynamics SL WO
No ratings yet
Manual Dynamics SL WO
69 pages
Volume Licensing Product Terms Explained
No ratings yet
Volume Licensing Product Terms Explained
19 pages
Software Update Services Overview: Microsoft Corporation Published: June 2002
No ratings yet
Software Update Services Overview: Microsoft Corporation Published: June 2002
27 pages
BMC Service Request Management 7.6.04 - Administration Guide
No ratings yet
BMC Service Request Management 7.6.04 - Administration Guide
382 pages
Working with Microsoft Visual Studio 2005 Team System 1st Edition Richard Hundhausen - The ebook is now available, just one click to start reading
No ratings yet
Working with Microsoft Visual Studio 2005 Team System 1st Edition Richard Hundhausen - The ebook is now available, just one click to start reading
76 pages
TIB BW 6.3.5 Concepts
No ratings yet
TIB BW 6.3.5 Concepts
46 pages
Serverless Core
No ratings yet
Serverless Core
114 pages
(Ebook) Microsoft Reference Architecture for Commerce Version 2.0 (Pro-Other) by Microsoft Corporation ISBN 0735618267 All Chapters Instant Download
100% (4)
(Ebook) Microsoft Reference Architecture for Commerce Version 2.0 (Pro-Other) by Microsoft Corporation ISBN 0735618267 All Chapters Instant Download
56 pages
TIB_BW_6.6.1_getting_started
No ratings yet
TIB_BW_6.6.1_getting_started
66 pages
Control Center
No ratings yet
Control Center
232 pages
Microsoft CRM 4 Implementation Guide Installing
No ratings yet
Microsoft CRM 4 Implementation Guide Installing
129 pages
Developer Manual: Autodesk Productstream Professional 2010
No ratings yet
Developer Manual: Autodesk Productstream Professional 2010
238 pages
ADFS Design and Deployment Guide
No ratings yet
ADFS Design and Deployment Guide
277 pages
HCM 9.2_Administer Workforce
No ratings yet
HCM 9.2_Administer Workforce
1,892 pages
System Admin Guide
No ratings yet
System Admin Guide
114 pages
Salesforce Migration Guide
No ratings yet
Salesforce Migration Guide
44 pages
Complete Download Microsoft Reference Architecture for Commerce Version 2 0 Pro Other 1st Edition Microsoft Corporation PDF All Chapters
100% (9)
Complete Download Microsoft Reference Architecture for Commerce Version 2 0 Pro Other 1st Edition Microsoft Corporation PDF All Chapters
82 pages
CRMIGv6 Installing
No ratings yet
CRMIGv6 Installing
258 pages
Web Client Installation and Administration Guide: Microsoft Dynamics GP 2013 For Service Pack 1
No ratings yet
Web Client Installation and Administration Guide: Microsoft Dynamics GP 2013 For Service Pack 1
122 pages
SaaS Sample Application PDF
No ratings yet
SaaS Sample Application PDF
72 pages
Ps Version
No ratings yet
Ps Version
465 pages
Vision Executive UserGuide v633 d10 20061128 PDF
No ratings yet
Vision Executive UserGuide v633 d10 20061128 PDF
119 pages
WSInstallAdminGuide
No ratings yet
WSInstallAdminGuide
99 pages
Microsoft CRM 2011 Installation Guide
No ratings yet
Microsoft CRM 2011 Installation Guide
221 pages
SAP Business Objects Enterprise XI 3.0 Deployment Planning Guide (2008)
No ratings yet
SAP Business Objects Enterprise XI 3.0 Deployment Planning Guide (2008)
112 pages
Programmers Guide
100% (1)
Programmers Guide
558 pages
IMUsers Guide
No ratings yet
IMUsers Guide
192 pages
7 Development Projects With the 2007 Microsoft Office System and Windows SharePoint Services 2007
No ratings yet
7 Development Projects With the 2007 Microsoft Office System and Windows SharePoint Services 2007
236 pages
AGPM 4 SP1 Deployment Guide
No ratings yet
AGPM 4 SP1 Deployment Guide
45 pages
Enterprise_Agreement_Program_Guide
No ratings yet
Enterprise_Agreement_Program_Guide
24 pages
Server Sizing Tool Guide
No ratings yet
Server Sizing Tool Guide
32 pages
MaaS360 Deployment Strategies
No ratings yet
MaaS360 Deployment Strategies
36 pages
HDL Designer Series Release Notes
No ratings yet
HDL Designer Series Release Notes
32 pages
Microsoft SQL Server 2005: A Beginner''s Guide
From Everand
Microsoft SQL Server 2005: A Beginner''s Guide
Dusan Petkovic
No ratings yet
The IT Factory
From Everand
The IT Factory
H.J.C. van Aken
No ratings yet
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
Computing Fundamentals: IC3 Edition
From Everand
Computing Fundamentals: IC3 Edition
Faithe Wempen
No ratings yet
Enterprise Process Orchestration: A Hands-on Guide to Strategy, People, and Technology That Will Transform Your Business
From Everand
Enterprise Process Orchestration: A Hands-on Guide to Strategy, People, and Technology That Will Transform Your Business
Bernd Ruecker
No ratings yet
Enterprise Architecture v2 To Mapping Guide
100% (1)
Enterprise Architecture v2 To Mapping Guide
22 pages
Project Execution & Engineering Management Planning (PM)
100% (1)
Project Execution & Engineering Management Planning (PM)
138 pages
Systemantics - How Systems Work and Especially How They Fail
100% (7)
Systemantics - How Systems Work and Especially How They Fail
128 pages
Jeep - Wikipedia, The Free Encyclopedia
67% (3)
Jeep - Wikipedia, The Free Encyclopedia
19 pages
The Complete Guide To Beginning A Nonprofit Website Project - Elevation
No ratings yet
The Complete Guide To Beginning A Nonprofit Website Project - Elevation
35 pages
GTS Brief Explanation
100% (1)
GTS Brief Explanation
12 pages
Ripple Protocol - Deep Dive For Financial Professionals
No ratings yet
Ripple Protocol - Deep Dive For Financial Professionals
47 pages
Erp Major Market Players
0% (1)
Erp Major Market Players
3 pages
Exam Study Guide: Cissp
100% (1)
Exam Study Guide: Cissp
95 pages
Getting Started With IDA
No ratings yet
Getting Started With IDA
174 pages
Enterprise Rent-A-Car Discount
100% (1)
Enterprise Rent-A-Car Discount
2 pages
Business Security Architecture Weaving Information Security Into Your Organization's Enterprise Architecture Through SABSA
No ratings yet
Business Security Architecture Weaving Information Security Into Your Organization's Enterprise Architecture Through SABSA
9 pages
Small Business Project Workbook
No ratings yet
Small Business Project Workbook
21 pages
Development of The Project Proposal
100% (3)
Development of The Project Proposal
40 pages
Aws Practicle Reference Guide For Welding Metallurgy-1999
No ratings yet
Aws Practicle Reference Guide For Welding Metallurgy-1999
34 pages
Read The Full Text of The Bill Here.
No ratings yet
Read The Full Text of The Bill Here.
83 pages
CompTIA CySA+ Cybersecurity Analyst Certification Practice Exams (Exam CS0-001)
90% (10)
CompTIA CySA+ Cybersecurity Analyst Certification Practice Exams (Exam CS0-001)
337 pages
America PAC Payments, Content Suppression & Algorithmic Election Interference — A Metadata Analysis (2023–2025)
83% (6)
America PAC Payments, Content Suppression & Algorithmic Election Interference — A Metadata Analysis (2023–2025)
19 pages
A Guide To Establishing A Hedge Fund
No ratings yet
A Guide To Establishing A Hedge Fund
44 pages
Building The Audit Function - Instituut Van Internal Auditors Indonesia
No ratings yet
Building The Audit Function - Instituut Van Internal Auditors Indonesia
68 pages
Wireless Hacking - A WiFi Hack by Cracking WEP
No ratings yet
Wireless Hacking - A WiFi Hack by Cracking WEP
5 pages
Ten Marks
No ratings yet
Ten Marks
7 pages
Rapport Threat INT V01-1
No ratings yet
Rapport Threat INT V01-1
30 pages
Xaudcis Holy Angel University
No ratings yet
Xaudcis Holy Angel University
49 pages
Design and Implementation of Online Driving School Management System
No ratings yet
Design and Implementation of Online Driving School Management System
4 pages
IM Intro To Computing Unit 7 and 8
No ratings yet
IM Intro To Computing Unit 7 and 8
23 pages
Untitled
No ratings yet
Untitled
37 pages
Nmap
No ratings yet
Nmap
8 pages
03 - Kali Linux USB Persistence - Kali Linux
No ratings yet
03 - Kali Linux USB Persistence - Kali Linux
4 pages
THE POLITICS OF FINANCIAL CRIME PREVENTIONS IN THE AFRICAN UNION CONTINENTAL FREE TRADE ZONE AREA
No ratings yet
THE POLITICS OF FINANCIAL CRIME PREVENTIONS IN THE AFRICAN UNION CONTINENTAL FREE TRADE ZONE AREA
539 pages
Suse PAM Modules
No ratings yet
Suse PAM Modules
8 pages
IAR0007 - CanPR IELTS Academic Reading Mock Test 6 10-2023
No ratings yet
IAR0007 - CanPR IELTS Academic Reading Mock Test 6 10-2023
11 pages
Cyber Law Study Mat
No ratings yet
Cyber Law Study Mat
37 pages
CS101-Topic 182
No ratings yet
CS101-Topic 182
11 pages
Reset Login Password
No ratings yet
Reset Login Password
10 pages
Data Integrity - QMS SOP
No ratings yet
Data Integrity - QMS SOP
7 pages
18.ATM Security With Rfid and Otp
No ratings yet
18.ATM Security With Rfid and Otp
71 pages
EY The Value Proposition For Organisational PDF
No ratings yet
EY The Value Proposition For Organisational PDF
20 pages
Government Dao
No ratings yet
Government Dao
7 pages
Z Cryptogrphic Algorithms
No ratings yet
Z Cryptogrphic Algorithms
71 pages
Pik Best
50% (2)
Pik Best
3 pages
Lab 9
No ratings yet
Lab 9
3 pages
Offsec Lab Connectivity Guide
100% (1)
Offsec Lab Connectivity Guide
6 pages
Hardware Implementation of Keyak: Jos Wetzels & Wouter Bokslag
No ratings yet
Hardware Implementation of Keyak: Jos Wetzels & Wouter Bokslag
26 pages
Waymo v. Uber Techs. (DTSA - California)
No ratings yet
Waymo v. Uber Techs. (DTSA - California)
28 pages
CIS Critical Security Conntrols Checklist PDF
No ratings yet
CIS Critical Security Conntrols Checklist PDF
2 pages
15.template - Incident Register
No ratings yet
15.template - Incident Register
9 pages