Microsoft's traditional Active Directory technology stores usernames and passwords and uses them to manage and secure access to computers on a Windows domain. It also provides SSO access to corporate applications. AD Federation Services builds upon this functionality to authenticate users on third-party systems, such as another company's extranet or a service hosted by a cloud provider.
Through SSO capabilities, AD FS can authenticate a user to different, related web apps during a single online session. AD FS shares the user's identity and access rights, also known as claims, across the organization's security boundaries. When users attempt to access a certain web app from one of their trusted business partners -- also known as a federation -- their organization must authenticate the employee's identity information via claims to the host of the web app. The host can then make authorization decisions based on the claims.