Applies to: Exchange Server 2010 SP2
Topic Last Modified: 2011-11-08
Single sign-on enables users to access both the on-premises and cloud-based organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.
Learn more at: Prepare for single sign-on
Single Sign-On for Hybrid Deployments
Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway. Here are the high-level components required to establish and configure this trust:
- Active Directory Federation
Services AD FS provides the various
end-points that the Microsoft Federation Gateway uses to redirect
clients to the AD FS server for different types of
authentication. AD FS must be installed on a separate physical
server that is a part of your on-premises network organization.
- Microsoft Identity Federation PowerShell
Module This module automates the configuration
of the on-premises AD FS server and the Microsoft Federation
Gateway to establish the trust. End-point and certificate data is
gathered from AD FS and provided to the Microsoft Federation
Gateway for your organizational domain.
Although not a requirement, we strongly recommend installing Active Directory synchronization in your organization if you're planning to deploy single sign-on. Directory synchronization is used to synchronize the Active Directory account properties of your on-premises users with the cloud-based service. Single sign-on requires that a cloud-based identity is available for the Microsoft Federation Gateway to match against a user's login request. By deploying directory synchronization in the on-premises organization, administrators can have new user accounts, contacts, and groups automatically replicated to the cloud-based organization and avoid problems with Microsoft Federation Gateway login redirection.