This topic describes the benefits of deploying Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0.
- General benefits—AD FS 2.0
provides the following benefits to your organization:
- Enables organizations to collaborate securely
across Active Directory domains by using identity
- Reduces the need for duplicate accounts and
other credential management overhead by enabling federated single
sign on (SSO) across organizations, platforms, and
- Provides identity delegation so that
authorized applications can impersonate their users when they
access infrastructure services, even when the original users do not
have local accounts.
- Enables organizations to collaborate securely across Active Directory domains by using identity federation.
- Single sign on—The process of
authenticating to one network while accessing resources in another
network without the burden of repeated logon actions by users, is
known as SSO. AD FS provides a web-based, SSO solution that
authenticates users to multiple web applications over the life of a
single browser session. When you deploy Forefront UAG with
AD FS, Forefront UAG relies on the AD FS infrastructure
to provide SSO for claims-aware applications.
- AD FS proxy—In an AD FS
deployment, to avoid placing the AD FS server directly on the
Internet, you can use an AD FS proxy which enables you to keep
your AD FS server within your protected corporate network.
However, if you want to use AD FS for authentication to your
other applications, they must be configured such that they are
accessible from the Internet. Because Forefront UAG can provide
AD FS proxy functionality and also provide protection for
published applications, you can simplify your environment by
deploying Forefront UAG. When you use Forefront UAG, you no longer
require a dedicated AD FS proxy server, and your application
deployment may be less complicated because Forefront UAG protects
your published applications.
- AD FS single
sign-out—AD FS 2.0 and Forefront UAG provide a single
sign-out experience for end users. When users sign out from the
Forefront UAG portal, they are also signed out from all
applications that rely on the authenticating federation server.
Similarly, when users sign out from an application, they are also
signed out from the Forefront UAG portal that uses the same
authenticating federation server.
Note: When users sign out from Forefront UAG, they may also be signed out from applications that are not published by Forefront UAG. Note: Since Forefront UAG works only with the WS-Federation Passive protocol, it is not possible to ensure that single sign-out occurs. For example, if users close their browser instead of signing out, single sign-out may not occur.