When you use claims-based authentication on a Forefront Unified Access Gateway (UAG) trunk, you can configure Forefront UAG to use claims-based authorization for applications that are published through that trunk. When users authenticate to your Active Directory Federation Services (AD FS) 2.0 server, they present a set of claims provided by their federation server. The set of claims contains a number of claim types and a value for each claim type. Using claims-based authorization enables you to make complex decisions on which users are allowed to access applications published through Forefront UAG. For more complicated authorization requirements, you can use claims transformation rules on your AD FS 2.0 server.

For information about creating claim transformation rules, see When to Use a Transform Claim Rule (http://go.microsoft.com/fwlink/?LinkId=198271) and Create a Rule to Transform an Incoming Claim (http://go.microsoft.com/fwlink/?LinkId=198272).

You can configure claims-based application authorization only when you use an AD FS 2.0 server for trunk authentication.


Make sure that the claims that you want to send to Forefront UAG are published in the federation metadata.

Make sure that the claim type and value that you are using for claims-based application authorization is an output from the claim rules that you configure.

Authorization uses an exact match; therefore, the claims that you use must exactly match the claim type and value that Forefront UAG expects. You cannot use wildcards, or perform complex authorization. If you need to do complex authorization, you should create claims transformation rules.

To configure claims-based application authorization

  1. On the Forefront UAG server, in the Forefront UAG Management console, click the trunk that uses claims-based authentication.

  2. In the Applications area, click the published application for which you will configure claims-based authorization, and then click Edit to open the Application Properties dialog box.

  3. On the Application Properties dialog box, click the Authorization tab.

  4. Clear the Authorize all users check box, and then click Add.

  5. On the Select Users and Groups dialog box, in the Look in list, select your AD FS 2.0 authentication repository.

  6. In Claim value, enter the value for the claim type that you select in Claim type, for example, Sales. In Claim type, select the claim type that you will use for authorization. The drop-down list shows the friendly name for each claim type instead of the full URI.

    Forefront UAG supports only English characters in the claim type.

    Claim value is not case-sensitive, and the matching of claim values is not case-sensitive. When you add the rule, Forefront UAG automatically changes uppercase letters to lowercase.

    The claim value and claim type must correspond with the claim set that is presented on behalf of the users to Forefront UAG when accessing the trunk.
  7. Click Add to add the claim rule.

    The claim rule is added to the Selected Users and Groups list.

  8. Repeat steps 6 and 7 until you have defined all of the claim rules required for this application.

  9. On the Select Users and Groups dialog box, click OK.

  10. On the Application Properties dialog box, on the Authentication tab, click the Allow, View, and Deny columns as required for the newly added claim rule.

  11. Optionally, click Save As Local Group to save the users and groups as a local group. See Implementing users and groups for application authorization.