The following diagram shows the main components in the system.

In this topology:

• The server running SharePoint Products and Technologies in the resource organization is configured to trust the Resource Federation server.
  
  
• The resource federation server is configured to trust the partner AD FS 2.0 server (Account Federation server). This trust is a federated trust, not a domain trust.
  
  
• The Account Federation server has been published as an application through Forefront UAG.
  
  
• The resource organization may also use Forefront UAG to publish applications and the AD FS 2.0 server; however, it is not shown here to simplify the diagram.
  
  

When users from the partner organization attempt to access the published SharePoint application, the following simplified flow occurs:

• The remote partner users attempt to access the published SharePoint application using claims-based authentication.
  
  
• The SharePoint server redirects the web browser request to the Resource Federation server to authenticate the user.
  
  
• The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, the partner organization.
  
  
• The Resource Federation server redirects the web browser request to the Account Federation server.
  
  
• Forefront UAG intercepts the redirection to the Account Federation server and instead redirects the web browser to the Forefront UAG login page.
  
  
• Users log in to Forefront UAG using a non-federated authentication method, for example, FBA or two-factor authentication.
  
  
• Forefront UAG redirects the web browser request to the Account Federation server, which provides users with a security token.
  
  
• Users are redirected to the Resource Federation server, which provides users with a security token from the application and also redirects users to the application, which now allows access to the users.
  
  

  Note:
  Javascript must be enabled on the client browser.

• After the first successful connection to the SharePoint site, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.
  
  

To deploy this topology, complete the following tasks:

• Configure non-federated trunk authentication. See Implementing frontend authentication.
  
  
• Creating and managing the AD FS 2.0 application