Once enabled, Federated Identity Support allows user accounts to use credentials established by a federated trust relationship through Active Directory Federation Services (AD FS) as a basis for obtaining a rights account certificate (RAC) from an AD RMS cluster. This is an alternative to setting up trusted publishing domains or trusted user domains between entities that have previously established trust infrastructures, such that in most cases the cluster is supporting both users that are inside of the organization and users from a partner organization.

When rights account certificates (RACs) are issued from a federated identity, the standard rights account certificate validity period does not apply. Instead, the RAC validity period is specified in the Federated Identity Support setting. Users with federated identities do not use temporary rights account certificates.

By default, federated trust relationships are not transitive. When a federated trust relationship is established between two organizations, any AD RMS trusted user domains that are established in either organization are not automatically trusted by the other organization. However, when you are importing a Trusted User Domain, there is an option to trust federated users of the imported domain.

Great care should be taken when allowing proxy addresses through a federated trust. If you allow proxy addresses through federation, it is possible for a malicious user to spoof an authorized user's credentials and access the user's rights-protected content. If proxy addresses through federation is a requirement of your organization, you should implement a claims transformation module that will examine a proxy address from a federated user and make sure that it matches the forest in which the request originated. The option to allow a proxy address from a federated user is turned off by default in the Active Directory Rights Management Services console.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To enable and configure federated identity support settings
  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Trust Policies, and then click Federated Identity Support.

  3. In the Actions pane, click Enable Federated Identity Support to enable Federated Identity Support.

  4. In the Actions pane, click Properties.

  5. On the Active Directory Federation Service Policies tab, in Federated Identity Certificate validity period, type the number of days that federated rights account certificates are to be valid.

  6. In Federated Identity Certificate Service URL, provide the location of the root cluster that will provide RACs to external users. If the default is selected, users will attempt to obtain a RAC from the AD RMS cluster that published the content.

  7. Click OK.

Additional considerations

Additional references