This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote employees access claims-aware applications published by Forefront Unified Access Gateway (UAG). In this topology, remote employees authenticate to the Forefront UAG trunk using non-federated authentication, for example, forms-based authentication (FBA) or two-factor authentication, and to the published application using federated authentication. This topology enables you to provide strong authentication to the Forefront UAG trunk that publishes a claims-aware application.
The following diagram shows the main components in the system.
In this topology:
- A separate Active Directory Domain Services
(AD DS) server is used within the corporation; however, you
can configure AD FS 2.0 to run on your AD DS
- The claims-aware web application is
configured as a relying party of the corporate AD FS 2.0
server using the external URL.
When remote employees attempt to access the published application, the following simplified flow occurs:
- Remote employees go to the Forefront UAG
portal and authenticate against the AD DS server using FBA, or
some other non-federated authentication method.
- The remote employee clicks the link to the
published application in the portal.
- The application redirects the web browser
request to the AD FS 2.0 server (Resource Federation
server) to authenticate the user.
- The Resource Federation server shows the home
realm discovery page to users on which they must choose the
organization to which they belong; in this case, their own
- The Resource Federation server sends an HTML
401 response. Forefront UAG is able to provide a single sign-on
(SSO) experience for the user by answering the 401 response with
the credentials previously entered by the user.
- The Resource Federation server provides a
security token (containing a set of claims) to the user. The user
is redirected to the application and the user’s security token is
presented to the application and the application appears.
- After the first successful connection to the
application, the Resource Federation server stores a cookie on the
user’s computer. The cookie is stored by default for 30 days; the
duration is configurable in the web.config file on the Resource
Federation server. During this time, users are not required to
answer identification questions on the home realm discovery page;
that is, choosing the organization to which they belong.
To deploy this topology, complete the following tasks:
- Configure non-federated trunk authentication.
- Configuring an AD FS 2.0
- Creating a rule to
pass-through or filter an incoming claim
- Creating a rule to
transform an incoming claim
- Publish your application using the
AD FS 2.0 authentication repository. See Adding applications to a