Claims-based authentication with Microsoft UAG 2010 (SharePoint Foundation 2010)


Applies to: SharePoint Foundation 2010

Topic Last Modified: 2012-04-26

Microsoft Unified Access Gateway (UAG) 2010 with Service Pack 1 (SP1) adds support for Active Directory Federated Services Version 2.0 (ADFS 2.0), and UAG is a claims-aware relying party that now supports publishing Microsoft SharePoint Foundation 2010 applications with claims-based authentication. (Partner access using single sign-on to applications or to servers running SharePoint Foundation 2010 and that are not claims-aware is still supported.)

The following steps detail the process flow for authenticating users from a partner organization through a server that is running UAG to a server that is running SharePoint Foundation 2010:

  1. The partner users attempt to access the published SharePoint Foundation application using claims-based authentication in one of two ways: by accessing the Forefront UAG portal and then clicking the published SharePoint Foundation application or by accessing the published SharePoint Foundation application directly using the SharePoint Foundation alternate access mapping name.

  2. Forefront UAG redirects the web browser request to the Resource Federation server to authenticate the user.

  3. The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, the partner organization.

  4. The Resource Federation server redirects the web browser to the Account Federation server where users authenticate using their own credentials, after which they receive a security token. Some authentication schemes prompt for credentials.

  5. Users are silently redirected several times and automatically authenticated using the security token created by the Account Federation server to the Resource Federation server and then to Forefront UAG. If they attempted to access the published SharePoint Foundation application directly, they are silently redirected to the SharePoint Foundation site, after which the SharePoint Foundation site appears. If they first accessed the Forefront UAG portal, they must click the SharePoint Foundation application to view the SharePoint Foundation site.

  6. After the first successful connection to the SharePoint Foundation site, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.

Office integration will fail in this scenario if a remote client’s session expires on the UAG server.
For more information about remote user access using claims and Microsoft UAG, see Plan employee access using claims.

UAG with SP1 also adds claims-based authorization. For example: If a user has a role claim, UAG can allow or deny the user’s access based on the value of the claim. These rules are set through policy in UAG and are mapped to roles in ADFS.

These claims-based authorization rules can only be used when UAG is a relying party of ADFS.

UAG with SP1 also adds single sign-out functionality; users who sign out are also signed out from all applications that rely on the authenticating federation server. There are a few ways that a client can sign out (or be signed out):

  • A user can sign out from the UAG portal.

  • A timed interval of inactivity can sign out a user.

  • Scheduled sign-out times of UAG can sign out a user.

For more information about single sign-out, see Overview of AD FS 2.0 with Forefront UAG (

UAG can still provide single sign-on (SSO) access if an application uses NTLM or Kerberos authentication, and UAG performs Kerberos translation for clients. For more information, see Configuring single sign-on with Kerberos constrained delegation to non-claims-aware applications (