Remote employee access using claims

Updated: July 31, 2012

Applies To: Unified Access Gateway

This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote employees access applications published by Forefront Unified Access Gateway (UAG) using claims-based authentication. In this topology, remote employees authenticate to both the Forefront UAG trunk and to the back end application using claims-based authentication. This topology enables you to allow partner and remote employees to access published applications through the same Forefront UAG trunk. It also allows you to define authorization rules for published applications in Forefront UAG that are based on the incoming claims.

• Topology description

• Sign-in flow

• Deployment tasks

Topology description

The following diagram shows the main components in the system.

In this topology:

• Forefront UAG is configured as a relying party of the corporate AD FS 2.0 server (Resource Federation server in the diagram).

• A separate Active Directory Domain Services (AD DS) server is used within the corporation; however, you can configure AD FS 2.0 to run on your AD DS server.

• The server running SharePoint Products and Technologies is configured as a relying party of the corporate AD FS 2.0 server using the external SharePoint URL.

• A SharePoint application has been published through Forefront UAG.

  Note

  A SharePoint server is used in this topology as an example. Any application that supports the WS-Federation protocol is supported in this topology.

Sign-in flow

When remote employees attempt to access the published SharePoint application, the following simplified flow occurs:

• The remote employees attempt to access the published SharePoint application using claims-based authentication in one of two ways: by accessing the Forefront UAG portal and then clicking the published SharePoint application or by accessing the published SharePoint application directly using the SharePoint alternate access mapping name.

• Forefront UAG redirects the web browser request to the Resource Federation server to authenticate the user.

• The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, their own organization.

• The remote employees are prompted for credentials and authenticate using their own AD DS credentials, after which they receive a security token.

• Users are silently redirected and automatically authenticated to Forefront UAG using the security token created by the Resource Federation server. If they attempted to access the published SharePoint application directly, they are silently redirected to the SharePoint site, after which the SharePoint site appears. If they first accessed the Forefront UAG portal, they must click the SharePoint application to view the SharePoint site.

  Note

  JavaScript must be enabled on the client browser.

• After the first successful connection to the SharePoint site, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.

Deployment tasks

To deploy this topology complete the following tasks:

• Configuring an AD FS 2.0 authentication repository

• Creating a portal trunk for AD FS 2.0

• Creating a relying party trust using Federation Metadata

• Creating a rule to pass through or filter an incoming claim

• Creating a rule to transform an incoming claim

• Configuring SharePoint 2010 AAM applications with AD FS 2.0 or Configuring SharePoint 2007 AAM applications with AD FS 2.0 or both.