This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote partner employees access applications published by the resource organization using claims-based authentication. This topology should be used when your organization is the partner organization and your remote employees (remote partner employees from the viewpoint of the resource organization) require access to the resources published by the resource organization. This topology enables you to provide strong authentication to your AD FS 2.0 server, and to provide anywhere access for partner employees.
The following diagram shows the main components in the system.
In this topology:
- The server running SharePoint Products and
Technologies in the resource organization is configured to trust
the Resource Federation server.
- The resource federation server is configured
to trust the partner AD FS 2.0 server (Account Federation
server). This trust is a federated trust, not a domain trust.
- The Account Federation server has been
published as an application through Forefront UAG.
- The resource organization may also use
Forefront UAG to publish applications and the AD FS 2.0
server; however, it is not shown here to simplify the diagram.
When users from the partner organization attempt to access the published SharePoint application, the following simplified flow occurs:
- The remote partner users attempt to access
the published SharePoint application using claims-based
- The SharePoint server redirects the web
browser request to the Resource Federation server to authenticate
- The Resource Federation server shows the home
realm discovery page to users on which they must choose the
organization to which they belong; in this case, the partner
- The Resource Federation server redirects the
web browser request to the Account Federation server.
- Forefront UAG intercepts the redirection to
the Account Federation server and instead redirects the web browser
to the Forefront UAG login page.
- Users log in to Forefront UAG using a
non-federated authentication method, for example, FBA or two-factor
- Forefront UAG redirects the web browser
request to the Account Federation server, which provides users with
a security token.
- Users are redirected to the Resource
Federation server, which provides users with a security token from
the application and also redirects users to the application, which
now allows access to the users.
- After the first successful connection to the
SharePoint site, the Resource Federation server stores a cookie on
the user’s computer. The cookie is stored by default for 30 days;
the duration is configurable in the web.config file on the Resource
Federation server. During this time, users are not required to
answer identification questions on the home realm discovery page;
that is, choosing the organization to which they belong.