This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when partner employees access applications published by Forefront Unified Access Gateway (UAG) using claims-based authentication. In this topology, partner employees authenticate to both the Forefront UAG trunk and to the back end application using claims-based authentication. This topology enables you to manage user identities in a single location; that is, on the AD FS 2.0 server. It also allows you to define authorization rules for published applications in Forefront UAG that are based on the incoming claims.
The following diagram shows the main components in the system.
In this topology:
- Forefront UAG is configured as a relying
party of the corporate AD FS 2.0 server (Resource
Federation server in the diagram).
- A separate Active Directory Domain Services
(AD DS) server is used within the corporation; however, you
can configure AD FS 2.0 to run on your AD DS
- The corporate AD FS 2.0 server is
configured to trust the partner federation server (Account
Federation server). This trust is a federated trust, not a domain
- The server running SharePoint Products and
Technologies is configured as a relying party of the corporate
AD FS 2.0 server using the external SharePoint URL.
- A SharePoint application has been published
through Forefront UAG.
Note: A SharePoint server is used in this topology as an example. Any application that supports the WS-Federation protocol is supported in this topology.
When users from the partner organization attempt to access the published SharePoint application, the following simplified flow occurs:
- The partner users attempt to access the
published SharePoint application using claims-based authentication
in one of two ways: by accessing the Forefront UAG portal and then
clicking the published SharePoint application or by accessing the
published SharePoint application directly using the SharePoint
alternate access mapping name.
- Forefront UAG redirects the web browser
request to the Resource Federation server to authenticate the
- The Resource Federation server shows the home
realm discovery page to users on which they must choose the
organization to which they belong; in this case, the partner
- The Resource Federation server redirects the
web browser to the Account Federation server where users
authenticate using their own credentials, after which they receive
a security token. Some authentication schemes prompt for
- Users are silently redirected several times
and automatically authenticated using the security token created by
the Account Federation server to the Resource Federation server and
then to Forefront UAG. If they attempted to access the published
SharePoint application directly, they are silently redirected to
the SharePoint site, after which the SharePoint site appears. If
they first accessed the Forefront UAG portal, they must click the
SharePoint application to view the SharePoint site.
- After the first successful connection to the
SharePoint site, the Resource Federation server stores a cookie on
the user’s computer. The cookie is stored by default for 30 days;
the duration is configurable in the web.config file on the Resource
Federation server. During this time, users are not required to
answer identification questions on the home realm discovery page;
that is, choosing the organization to which they belong.
To deploy this topology complete the following tasks:
- Configuring an AD FS 2.0
- Creating a portal trunk
for AD FS 2.0
- Creating a Relying Party
Trust using Federation Metadata
- Creating a rule to
pass-through or filter an incoming claim
- Creating a rule to
transform an incoming claim
- Configuring SharePoint
2010 AAM applications with AD FS 2.0 or Configuring SharePoint
2007 AAM applications with AD FS 2.0 or both.