The following procedures describe the tasks required to configure Active Directory Federation Services (AD FS) 2.0 with Forefront Unified Access Gateway (UAG).
- Configuring an AD FS 2.0
authentication repository—On the Forefront UAG server,
configure an AD FS 2.0 authentication repository.
- Creating a portal trunk
for AD FS 2.0—On the Forefront UAG server, create an HTTPS
portal trunk that uses the AD FS 2.0 authentication
repository. The trunk is used when you want to use federated
(claims-based) trunk authentication. This task automatically
creates an application that publishes the AD FS 2.0
server.
- Creating a Relying Party
Trust using Federation Metadata—On your organization’s
federation server, create a relying party trust using federation
metadata that was created automatically during Forefront UAG
activation.
- Creating a rule to
pass-through or filter an incoming claim—On your organization’s
federation server, create a rule to pass-through or filter incoming
claims.
- Creating a rule to
transform an incoming claim—On your organization’s federation
server, create a rule to transform incoming name claims into
different claims, if necessary.
- Optional deployment
tasks—Describes the optional tasks that may be required
depending on your topology and requirements.
- Verifying the
deployment—Describes how to verify that your deployment was
successful, including links to troubleshooting if it was not
successful.
 Important: |
|---|
| When you use an AD FS 2.0 authentication server, end users that authenticate using the AD FS 2.0 server are automatically added to the Authenticated Users security group. End users that authenticate to Forefront UAG using AD FS 2.0 may not be members of your domain; therefore, you should not base your authorization scheme on the Authenticated Users group. Additionally, if you configure applications (including the log on pages and the portal) with no authorization scheme, only members of the Authenticated Users are able to access the application. |