Active Directory Federation Services (AD FS) provides Web single sign-on technologies in order to authenticate a user to multiple Web applications, over the life of a single session. AD FS achieves this by securely sharing digital identity and entitlement rights, or "claims", across security and enterprise boundaries. When using the Active Directory Lightweight Directory Service (AD LDS) or the Active Directory directory service, an organization experiences the benefit of single sign-on functionality through Windows-integrated authentication, within the organization's security or enterprise boundaries. AD FS expands this functionality for Internet-facing applications, enabling customers, partners, and suppliers to have a similar, streamlined, Web single sign-on user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations. For example, AD FS enables employees in company A to be identified by resources in company B, for the purpose of becoming authorized to perform actions on resources in company B. In Forefront Unified Access Gateway (UAG), federated users can access Forefront UAG sites, and the applications published via the site, by using AD FS passive model authentication.
AD FS in Forefront UAG requires the following environment:
- An AD FS v1 server.
- The AD FS server is published by Forefront UAG. All user
access to the AD FS server should be via Forefront UAG. The
AD FS server should be published directly in an application
trunk, and not in a portal trunk.
- Shadowed accounts are required in the following cases:
- If the resource organization must identify
the exact user in the user organization. Alternatively, you can map
users from the user organization to a group in the resource
organization. Group mapping requires shadow groups, but not shadow
- When the published application supports
Kerberos constrained delegation, and you want to support single
sign-on using Kerberos.
- If the resource organization must identify the exact user in the user organization. Alternatively, you can map users from the user organization to a group in the resource organization. Group mapping requires shadow groups, but not shadow accounts.
AD FS in Forefront UAG has the following applications and authentication requirements:
- Logon to the Forefront UAG portal requires an NT token.
Forefront UAG cannot consume claims.
- Published backend applications can require either NT tokens or
claims. In both cases, authentication between users and the backend
application is performed directly. You should disable the setting
Use single sign-on to send credentials to published
applications in the application properties.
- Kerberos constrained delegation can be used if it is supported
by the published application.
AD FS prerequisites
To use AD FS with Forefront UAG, the following is required:
- You must define two static IP addresses on the external network
adapter of the Forefront UAG server before you install Forefront
- The Forefront UAG server must be a domain member, even when
Forefront UAG is installed in a perimeter network. This is required
by the AD FS Web agent that must be installed on the Forefront
- An Active Directory repository must be used for
- AD FS-enabled applications can only be published using