Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What is trusting party and trusted party in Active Directory?

user-image
Question added by Khan Firoz Hassan Basha , Technical Support Engineer , Amrut Software Pvt Ltd
Date Posted: 2013/08/24
Gopalakrishna Gowda
by Gopalakrishna Gowda , Network Engineer , ANHAM FZCO

Its a Understanding the AD FS2.0 Proxy .
What is the AD FS2.0 Proxy? The AD FS2.0 Proxy is a service that brokers a connection between external users and your internal AD FS2.0 server.
It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ).
As far as the user is concerned, they do not know they are talking to an AD FS proxy server, as the federation services are accessed by the same URLs.
The proxy server handles three primary functions.
Assertion provider: The proxy accepts token requests from users and passes the information over SSL (default port443) to the internal AD FS server.
It receives the token from the internal AD FS server and passes it back to the user.
Assertion consumer: The proxy accepts tokens from users and passes them over SSL (default port443) to the internal AD FS server for processing.
Metadata provider: The proxy will also respond to requests for Federation Metadata.
  Why use an AD FS2.0 Proxy? The AD FS2.0 Proxy is not a requirement for using AD FS; it is an additional feature.
The reason you would install an AD FS2.0 Proxy is you do not want to expose the actual AD FS2.0 server to the Internet.
AD FS2.0 servers are domain joined resources, while the AD FS2.0 Proxy does not have that requirement.
If all your users and applications are internal to your network, you do not need to use an AD FS2.0 Proxy.
If there is a requirement to expose your federation service to the Internet, it is a best practice to use an AD FS2.0 Proxy.
How does the AD FS2.0 Proxy work? Proxy Trust Wizard prompts admin credentials for the internal federation service (AD FS).
These credentials are not stored.
They are used once to issue a proxy trust token (which is simply a SAML assertion) which is used to “authenticate” the proxy to the internal federation service.
The internal AD FS server knows about the proxy trust token and knows that when it receives a proxy request that request must be accompanied by the proxy trust token.
The proxy trust token has a configurable lifetime, and is self-maintained by the proxy and the federation service.
The only time you need to touch it is if a server is lost or you need to revoke the proxy trust.
When a proxy trust is revoked, the proxy trust token is invalidated and the federation service will no longer accept proxy requests from proxies who are attempting to utilize that token.
You must re-run the Proxy Trust Wizard on ALL proxies in order to re-establish trust.
 

More Questions Like This