Remote employee access using non-federated trunk authentication and federated application authentication

This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote employees access claims-aware applications published by Forefront Unified Access Gateway (UAG). In this topology, remote employees authenticate to the Forefront UAG trunk using non-federated authentication, for example, forms-based authentication (FBA) or two-factor authentication, and to the published application using federated authentication. This topology enables you to provide strong authentication to the Forefront UAG trunk that publishes a claims-aware application.

Topology Description
Sign-in flow
Deployment tasks

Topology Description

The following diagram shows the main components in the system.

In this topology:

A separate Active Directory Domain Services (AD DS) server is used within the corporation; however, you can configure AD FS 2.0 to run on your AD DS server.
The claims-aware web application is configured as a relying party of the corporate AD FS 2.0 server using the external URL.

Sign-in flow

When remote employees attempt to access the published application, the following simplified flow occurs:

Remote employees go to the Forefront UAG portal and authenticate against the AD DS server using FBA, or some other non-federated authentication method.
The remote employee clicks the link to the published application in the portal.
The application redirects the web browser request to the AD FS 2.0 server (Resource Federation server) to authenticate the user.
The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, their own organization.
The Resource Federation server sends an HTML 401 response. Forefront UAG is able to provide a single sign-on (SSO) experience for the user by answering the 401 response with the credentials previously entered by the user.
The Resource Federation server provides a security token (containing a set of claims) to the user. The user is redirected to the application and the user’s security token is presented to the application and the application appears.

Note:

Javascript must be enabled on the client browser.
After the first successful connection to the application, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.

Note:
Javascript must be enabled on the client browser.

Deployment tasks

To deploy this topology, complete the following tasks:

Configure non-federated trunk authentication. See Implementing frontend authentication.
Configuring an AD FS 2.0 authentication repository
Creating a rule to pass-through or filter an incoming claim
Creating a rule to transform an incoming claim
Publish your application using the AD FS 2.0 authentication repository. See Adding applications to a trunk.