Export (0) Print
Expand All

Remote employee access using non-federated trunk authentication and federated application authentication

Published: October 21, 2010

Updated: July 31, 2012

Applies To: Unified Access Gateway

This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote employees access claims-aware applications published by Forefront Unified Access Gateway (UAG). In this topology, remote employees authenticate to the Forefront UAG trunk using non-federated authentication, for example, forms-based authentication (FBA) or two-factor authentication, and to the published application using federated authentication. This topology enables you to provide strong authentication to the Forefront UAG trunk that publishes a claims-aware application.

Topology Description

The following diagram shows the main components in the system.

TopologyEmployeeFBAFE_ClaimsBE

In this topology:

  • A separate Active Directory Domain Services (AD DS) server is used within the corporation; however, you can configure AD FS 2.0 to run on your AD DS server.

  • The claims-aware web application is configured as a relying party of the corporate AD FS 2.0 server using the external URL.

Sign-in flow

When remote employees attempt to access the published application, the following simplified flow occurs:

  • Remote employees go to the Forefront UAG portal and authenticate against the AD DS server using FBA, or some other non-federated authentication method.

  • The remote employee clicks the link to the published application in the portal.

  • The application redirects the web browser request to the AD FS 2.0 server (Resource Federation server) to authenticate the user.

  • The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, their own organization.

  • The Resource Federation server sends an HTML 401 response. Forefront UAG is able to provide a single sign-on (SSO) experience for the user by answering the 401 response with the credentials previously entered by the user.

    noteNote:
    SSO works only when you use Forefront UAG to publish the AD FS 2.0 server.

  • The Resource Federation server provides a security token (containing a set of claims) to the user. The user is redirected to the application and the user’s security token is presented to the application and the application appears.

    noteNote:
    JavaScript must be enabled on the client browser.

  • After the first successful connection to the application, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.

Deployment tasks

To deploy this topology, complete the following tasks:

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft