Enabling Active Directory Federation Services in IAG SP1

Applies To: Intelligent Application Gateway (IAG)

This section describes how to enable Active Directory® Federation Services (ADFS) authentication in the Intelligent Application Gateway (IAG) 2007. ADFS enables cross-corporation collaboration (federated identity). One of its key features is to enable employees in company A to be identified by resources in company B for the purpose of getting authorization to perform actions on resources in company B. This setting enables federated users to access both the IAG site and the applications that are enabled through it by using ADFS passive model authentication.

Requirements

The following are requirements for enabling ADFS:

• An Active Directory (AD) repository is used for IAG authentication.

• This feature is applicable only for HTTPS Connections trunks.

• IAG is installed in the perimeter network (also known as DMZ, demilitarized zone, or screened subnet) and should be domain-joined.

• ADFS is installed and configured in the resource provider organization.

• ADFS Web agent is installed on the IAG computer. For detailed information on installing the ADFS Web agent, see the following address:

  https://technet2.microsoft.com/windowsserver/en/library/6f8aaa2f-5dcd-4c50-840b-48a0719340541033.mspx?mfr=true

Configuring ADFS

To configure ADFS, you must follow the instructions in the following topics:

• Configuring IAG trunks in the resource provider organization

• Configuring ADFS on IAG

• Configuring IAG on the account provider

Known issues

The following are known issues:

• IAG can replace the FS-P in the account provider only when users are authenticated to the FS by using a username and a password. If users are authenticated by using client certificate, you should use FS-P.

• Even when the published applications use a claim-aware-based authentication, IAG should still use NT-Token-based authentication.