With Forefront Unified Access Gateway (UAG), you can provide partner employees with access to your published applications by using Active Directory Federation Services (AD FS).
This topic describes:
What is AD FS?
AD FS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless, "one prompt" access to one or more protected Internet-facing applications, even when the user accounts and applications are located in different networks or organizations.
When an application and user accounts are in different networks, it is typical for users to encounter prompts for secondary credentials when they attempt to access the application. These secondary credentials represent the identity of the users in the realm in which the application resides. The web server that hosts the application usually requires these credentials so that it can make the most appropriate authorization decision.
AD FS provides trust relationships that you can use to project a user's digital identity and access rights to trusted partners, thus making secondary accounts and their credentials unnecessary. In a federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations.
Furthermore, you can deploy federation servers in multiple organizations to facilitate business-to-business (B2B) transactions between trusted partner organizations. Federated B2B partnerships identify business partners as one of the following types of organization:
- Resource organization—Organizations
that own and manage resources that are accessible from the Internet
can deploy AD FS federation servers and AD FS-enabled web
servers that manage access to protected resources for trusted
partners. These trusted partners can include external third
parties, or other departments or subsidiaries that are in the same
organization.
- Account organization—Organizations
that own and manage user accounts can deploy AD FS federation
servers that authenticate local users, and create security tokens
that federation servers in the resource organization can use later
to make authorization decisions.
The process of authenticating to one network while accessing resources in another network without the burden of repeated logon actions by users, is known as single sign-on (SSO). AD FS provides a web-based, SSO solution that authenticates users to multiple web applications over the life of a single browser session.
In an AD FS deployment, to avoid placing the AD FS server directly on the Internet, you can use an AD FS proxy which enables you to keep your AD FS server within your protected corporate network. However, if you want to use AD FS for authentication to your other applications, they must be configured such that they are accessible from the Internet. Because Forefront UAG can provide AD FS proxy functionality and also provide protection for published applications, you can simplify your environment by deploying Forefront UAG. When you use Forefront UAG, you no longer require a dedicated AD FS proxy server, and your application deployment may be less complicated because Forefront UAG protects your published applications.
AD FS role services
The AD FS server role includes federation services, proxy services, and web agent services that you configure to enable web SSO, federate web-based resources, customize the access experience, and manage how existing users are authorized to access applications.
Depending on your organization's requirements, you can deploy servers running any one of the following AD FS role services:
- Federation Service—The Federation
Service comprises one or more federation servers that share a
common trust policy. You use federation servers to route
authentication requests from user accounts in other organizations
or from clients that may be located anywhere on the Internet.
- Windows token-based agent—You use the
Windows token-based agent on a web server that hosts a
Windows NT token-based application to support conversion from
an AD FS security token to an impersonation-level,
Windows NT access token. A Windows NT token-based
application is an application that uses Windows-based authorization
mechanisms.
AD FS supported scenarios
AD FS 1.x in Forefront UAG requires the following environment:
- An AD FS 1.x server.
- The AD FS 1.x server is published by Forefront UAG.
All user access to the AD FS server should be via Forefront
UAG. The AD FS server should be published directly in an
application trunk, and not in a portal trunk.
- Shadowed accounts are required in the following cases:
- If the resource organization must identify
the exact user in the user organization. Alternatively, you can map
users from the user organization to a group in the resource
organization. Group mapping requires shadow groups, but not shadow
accounts.
- When the published application supports
Kerberos constrained delegation, and you want to support single
sign-on using Kerberos.
- If the resource organization must identify
the exact user in the user organization. Alternatively, you can map
users from the user organization to a group in the resource
organization. Group mapping requires shadow groups, but not shadow
accounts.
AD FS 1.x in Forefront UAG has the following application and authentication requirements:
- Logon to the Forefront UAG portal requires an NT token.
Forefront UAG cannot consume claims when using
AD FS 1.x.
- Published backend applications can require either NT tokens or
claims. In both cases, authentication between users and the backend
application is performed directly. You should disable the setting
Use single sign-on to send credentials to published
applications in the application properties.
- Kerberos constrained delegation can be used if it is supported
by the published application.
AD FS prerequisites
To use AD FS 1.x with Forefront UAG, the following is required:
- You must define two static IP addresses on
the external network adapter of the Forefront UAG server before you
install Forefront UAG.
- The Forefront UAG server must be a domain
member, even when Forefront UAG is installed in a perimeter
network. This is required by the AD FS web agent that must be
installed on the Forefront UAG server.
- An Active Directory repository must be used
for authentication.
- AD FS-enabled applications can only be
published using HTTPS trunks.