Why deploy Forefront UAG with AD FS 2.0?

This topic describes the benefits of deploying Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0.

General benefits—AD FS 2.0 provides the following benefits to your organization:
- Enables organizations to collaborate securely across Active Directory domains by using identity federation.
- Reduces the need for duplicate accounts and other credential management overhead by enabling federated single sign on (SSO) across organizations, platforms, and applications.
- Provides identity delegation so that authorized applications can impersonate their users when they access infrastructure services, even when the original users do not have local accounts.
Single sign on—The process of authenticating to one network while accessing resources in another network without the burden of repeated logon actions by users, is known as SSO. AD FS provides a web-based, SSO solution that authenticates users to multiple web applications over the life of a single browser session. When you deploy Forefront UAG with AD FS, Forefront UAG relies on the AD FS infrastructure to provide SSO for claims-aware applications.
AD FS proxy—In an AD FS deployment, to avoid placing the AD FS server directly on the Internet, you can use an AD FS proxy which enables you to keep your AD FS server within your protected corporate network. However, if you want to use AD FS for authentication to your other applications, they must be configured such that they are accessible from the Internet. Because Forefront UAG can provide AD FS proxy functionality and also provide protection for published applications, you can simplify your environment by deploying Forefront UAG. When you use Forefront UAG, you no longer require a dedicated AD FS proxy server, and your application deployment may be less complicated because Forefront UAG protects your published applications.

AD FS single sign-out—AD FS 2.0 and Forefront UAG provide a single sign-out experience for end users. When users sign out from the Forefront UAG portal, they are also signed out from all applications that rely on the authenticating federation server. Similarly, when users sign out from an application, they are also signed out from the Forefront UAG portal that uses the same authenticating federation server.

Note:
When users sign out from Forefront UAG, they may also be signed out from applications that are not published by Forefront UAG.

Note:
Since Forefront UAG works only with the WS-Federation Passive protocol, it is not possible to ensure that single sign-out occurs. For example, if users close their browser instead of signing out, single sign-out may not occur.