Applies to: Exchange Server 2010 SP2

Topic Last Modified: 2011-11-08

Single sign-on enables users to access both the on-premises and cloud-based organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.

Learn more at: Prepare for single sign-on

Single Sign-On for Hybrid Deployments

Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway. Here are the high-level components required to establish and configure this trust:

  • Active Directory Federation Services   AD FS provides the various end-points that the Microsoft Federation Gateway uses to redirect clients to the AD FS server for different types of authentication. AD FS must be installed on a separate physical server that is a part of your on-premises network organization.

  • Microsoft Identity Federation PowerShell Module   This module automates the configuration of the on-premises AD FS server and the Microsoft Federation Gateway to establish the trust. End-point and certificate data is gathered from AD FS and provided to the Microsoft Federation Gateway for your organizational domain.

Although not a requirement, we strongly recommend installing Active Directory synchronization in your organization if you're planning to deploy single sign-on. Directory synchronization is used to synchronize the Active Directory account properties of your on-premises users with the cloud-based service. Single sign-on requires that a cloud-based identity is available for the Microsoft Federation Gateway to match against a user's login request. By deploying directory synchronization in the on-premises organization, administrators can have new user accounts, contacts, and groups automatically replicated to the cloud-based organization and avoid problems with Microsoft Federation Gateway login redirection.