Forefront Unified Access Gateway (UAG) allows you to delegate credentials, so that when a client authenticates during logon to a Forefront UAG site session, the credentials that are provided can be sent to backend servers that require authentication. This single sign-on (SSO) mechanism allows the user to log on to Forefront UAG with a single set of credentials that are then used to authenticate and gain access to any application for which the credentials are valid.

Forefront UAG can implement single sign-on by using session credentials to authenticate to published backend applications using the following methods: