Active Directory Rights Management Services rights can be assigned to users in forests that have a federated trust in place via Active Directory Federation Services . This enables organizations to share rights-protected content without establishing another trust or building a separate Active Directory Rights Management Services infrastructure.
Active Directory Federation Services (AD FS) is a standards-based service that enables federation of identity by implementing claims-based authentication across forests. Claims-based authentication is the process of authenticating a user, based on a set of claims contained in a trusted token. The token is typically issued and signed by a trusted entity.
With AD FS, identity federation is established between two organizations by establishing trust between two security realms . An AD FS server on one side of the trust (ADFS-ACCOUNT) authenticates the user through Active Directory Domain Services and issues a token containing a series of claims about the user, including her identity. On the other side, an AD FS server (ADFS-RESOURCE) validates the token and issues a separate token that the local servers accept, enabling the user to access a requested resource. This process enables an organization to provide controlled access, to its resources or services, to a user that belongs to another security realm. Users do not have to directly authenticate to the federated environment and the organizations do not have to share user identities or passwords.
In order to benefit from identity federation, a service must accept federated identities, and AD RMS is one such service. In particular, AD RMS is designed to accept requests for licenses, from remote users through a single sign-on agent or Web single sign-on, and redirect the requests to the local federation server (ADFS-RESOURCE). This server requires the user to authenticate to ADFS-ACCOUNT, which authenticates the user via Active Directory and issues the corresponding security token. This token is presented to the single sign-on agent, which validates the token and provides the identity to the AD RMS server. Finally, the AD RMS server issues the requested licenses.
AD FS provides a very efficient way to deliver access to protected content to users in remote, independent organizations, including organizations that have not deployed AD RMS. It also uses infrastructure that can be used for other federation purposes, such as providing access to extranet sites and to SharePoint Server based sites.
Trusted User Domains (TUDs) allow you to configure an AD RMS cluster to manage requests for CLCs for users that have been issued RACs from a different AD RMS cluster. For example, if an organization has two separate Active Directory forests and each forest has its own AD RMS deployment, you’d configure Trusted User Domains so that clients from one forest are able to issue CLCs to clients with RACs issued from the other forest. TUDs can be one-way or bi-directional. When configuring TUDs, you must export the TUD from the partner before importing the TUD locally.
Trusted Publishing Domains (TPDs) allow the AD RMS cluster in one forest to issue end-user licenses to content published with licenses issued from an AD RMS cluster in another forest. You must export the TPD file and have it imported by the partner AD RMS cluster before the AD RMS cluster in the partner forest can issue end-user licenses to local AD RMS clients.