When you use the Remote partner employee access using claims topology, your employees may need to access applications published by a resource organization. In this topology, your organization is the partner organization and your employees are the partner employees. In this topology, you can use Forefront Unified Access Gateway (UAG) to publish your Active Directory Federation Services (AD FS) 2.0 server as a Forefront UAG application.

You do not need to publish an AD FS 2.0 application if you are using an AD FS 2.0 server as an authentication repository for a trunk or application because the application is published automatically.

To publish an AD FS 2.0 application

  1. In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

  2. In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Active Directory Federation Services 2.0.

  3. On the Configure Application page, enter an application name.

  4. On the Select Endpoint Policies page, select the endpoint policies that you want to apply when accessing your AD FS 2.0 application.

  5. On the Deploying an Application page, click Configure an application server.

  6. On the Web Servers page, do the following:

    1. In the Addresses box, enter the internal host name of the AD FS 2.0 server.

    2. In the Public host name box, enter the public URL of the AD FS 2.0 server.

      The public URL and the internal host name of the AD FS 2.0 server must be identical.
    3. In the HTTPS port box, use the default port of 443.

  7. On the Authentication page, if you want to use single sign-on (SSO), select the Use SSO check box, and then select the authentication server that you want to use for SSO.

  8. On the Portal Link page of the wizard, do not make any changes.

  9. When you complete the wizard, click Finish.

    The Add Application Wizard closes, and the application that you defined appears in the Applications area of the Configuration section.

  10. Activate the configuration.

When you create the AD FS 2.0 application manually it uses default paths. Make sure that these default paths cover everything that you need to publish and that they correspond with the AD FS 2.0 server configuration.

Managing the AD FS 2.0 application

In all cases where you use AD FS 2.0 with Forefront UAG, you must publish the AD FS 2.0 application. Forefront UAG automatically publishes the AD FS 2.0 application when you configure a trunk that uses an AD FS 2.0 authentication repository, or when a published application uses an AD FS 2.0 authentication repository. You can also publish the AD FS 2.0 application manually.

When you configure a trunk to use an AD FS 2.0 server for frontend authentication, Forefront UAG automatically enables pass-through for the AD FS 2.0 application; that is, that end users authenticate to the AD FS 2.0 repository when accessing the Forefront UAG trunk. You should not change this setting.

When you publish the AD FS 2.0 application manually, you can decide if you want to allow unauthenticated access to the application. It is not recommended to allow unauthenticated access to the AD FS 2.0 application when the application is used only as a standalone application.

To allow unauthenticated access to the AD FS 2.0 application

  1. In the Forefront UAG Management console, click the trunk through which the AD FS 2.0 application is published. In the Applications list, click the AD FS 2.0 application, and then click Edit.

  2. On the Application Properties dialog box, click the Authentication tab.

  3. To allow unauthenticated access to the AD FS 2.0 application, select the Allow unauthenticated access to web server check box.

    If you select this check box, any authorization rules that you configured for the AD FS 2.0 application are ignored.
  4. Click OK.

  5. Activate the configuration.