Planning for federation with AD FS
Updated: February 1, 2010
Applies To: Unified Access Gateway
Active Directory Federation Services (AD FS) provides Web single sign-on technologies in order to authenticate a user to multiple Web applications, over the life of a single session. AD FS achieves this by securely sharing digital identity and entitlement rights, or "claims", across security and enterprise boundaries. When using the Active Directory Lightweight Directory Service (AD LDS) or the Active Directory directory service, an organization experiences the benefit of single sign-on functionality through Windows-integrated authentication, within the organization's security or enterprise boundaries. AD FS expands this functionality for Internet-facing applications, enabling customers, partners, and suppliers to have a similar, streamlined, Web single sign-on user experience when they access the organization’s Web-based applications. Furthermore, federation servers can be deployed in multiple organizations to facilitate business-to-business (B2B) federated transactions between partner organizations. For example, AD FS enables employees in company A to be identified by resources in company B, for the purpose of becoming authorized to perform actions on resources in company B. In Forefront Unified Access Gateway (UAG), federated users can access Forefront UAG sites, and the applications published via the site, by using AD FS passive model authentication.
Supported scenarios
AD FS in Forefront UAG requires the following environment:
An AD FS v1 server.
The AD FS server is published by Forefront UAG. All user access to the AD FS server should be via Forefront UAG. The AD FS server should be published directly in an application trunk, and not in a portal trunk.
Shadowed accounts are required in the following cases:
If the resource organization must identify the exact user in the user organization. Alternatively, you can map users from the user organization to a group in the resource organization. Group mapping requires shadow groups, but not shadow accounts.
When the published application supports Kerberos constrained delegation, and you want to support single sign-on using Kerberos.
AD FS in Forefront UAG has the following applications and authentication requirements:
Logon to the Forefront UAG portal requires an NT token. Forefront UAG cannot consume claims.
Published backend applications can require either NT tokens or claims. In both cases, authentication between users and the backend application is performed directly. You should disable the setting Use single sign-on to send credentials to published applications in the application properties.
Kerberos constrained delegation can be used if it is supported by the published application.
AD FS prerequisites
To use AD FS with Forefront UAG, the following is required:
You must define two static IP addresses on the external network adapter of the Forefront UAG server before you install Forefront UAG.
The Forefront UAG server must be a domain member, even when Forefront UAG is installed in a perimeter network. This is required by the AD FS Web agent that must be installed on the Forefront UAG server.
An Active Directory repository must be used for authentication.
AD FS-enabled applications can only be published using HTTPS trunks.