Implementing cross-site single sign-on

  • Article

Updated: February 1, 2011

Applies To: Unified Access Gateway

Forefront Unified Access Gateway (UAG) provides cross-site single sign-on that allows users who log into one Forefront UAG site to access additional Forefront UAG sites without having to re-authenticate. Users input credentials the first time that they access a site that is included in the single sign-on list. Then can then open a second session (by opening a new tab in Internet Explorer, or typing the new site URL in the navigation bar of an existing browser, to connect to another Forefront UAG trunk defined included in the single sign-on list. They can then access this trunk site without providing credentials again.

Note the following before implementing cross-site single sign-on:

  • All trunks in the cross-site single sign-on list must share the same authentication settings. The must all use the same authentication server or servers for session authentication to the trunk.

  • The public host name (FQDN) of all trunks in the cross-site list must belong to the same domain. For example *.contoso.com.

  • Cross-site single sign-on cannot be used when user authentication is implemented with Kerberos constrained delegation, client certification authentication, or AD FS.

Authentication is performed as follows:

  1. User authentication prompts are triggered as follows:

    1. For session authentication—During the initial logon, or after a scheduled logoff

    2. For application authentication—When the setting Use single sign-on to send credentials to published applications is enabled fro the application (indicating that session credentials should be forwarded to backend Web servers), and either credentials were not specified by the user, or the user has view authorization permissions for the application.

  2. Forefront UAG validates the session credentials against the authentication server. If the user needs to input additional information, for example to enter a new PIN, they are prompted to continue to enter all required authentication information.

  3. If the authentication fails, the user is prompted to retry until the permitted limit for the number of re-authentication attempts is reached. If the number of attempts is exceeded then logon fails, and the user must log off the site and attempt to log on again. This begins a new authentication process.

Configuring cross-site single sign-on

Configure cross-site single sign-on as follows:

To configure cross-site single sign-on

  1. For one of the trunks that will be included in the cross-site SSO list, open the CustomUpdate folder in the following location:

    \Microsoft Forefront Unified Access Gateway\Von\Conf\WebSites\<Trunk_Name >\ Conf\CustomUpdate

    If the CustomUpdate folder does not exist, create it.

  2. If the WFEList.xml file does not already exist in the CustomUpdate folder, copy the file from the trunk's Conf folder to the CustomUpdate folder.

    If the file exists, use the existing file.

  3. At the end of the WFEList.xml in the CustomUpdate folder, add the following line:

    <DLL active="1" dll_name="WhlFiltSSO.dll"/>

  4. Copy the following file into the trunk's Conf\CustomUpdate folder (the folder you accessed in step 1):

    \Microsoft Forefront Unified Access Gateway\Von\Conf\WhlFiltSSO.ini

  5. Edit the file you copied in step 4, changing the Domain and Key fields to the following:

    • Domain: domain to which the trunk belongs

    • Key: free-text, used for encryption

  6. Repeat steps 1 through 5 for each of the trunks that are part of the cross-site SSO.

  7. Access the following custom folder:

    \Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate

    If this folder does not exist, create it.

  8. Copy the following file into the custom folder:

    \Microsoft Forefront Unified Access Gateway\von\InternalSite\samples\site_sso.inc

  9. Edit the file you copied in step 7, as follows:

    • WHL_KEY : key you entered in step 5

    • SSO_COOKIE_DOMAIN : domain you entered in step 5

  10. Rename the file you edited in step 9, as follows:

    < Trunk_Name >sso.inc

    Where <Trunk_Name>sso.inc is the name of one of the trunks that is part of the SSO.

    Note

    Regardless of the trunk type of the SSO sites (HTTP Connections or HTTPS Connections), the file is named <Trunk_Name>sso.inc.

  11. Repeat step 10 for each of the trunks that are part of the SSO, by copying and renaming the file as many times as required, so that each SSO trunk has one <Trunk_Name>sso.inc file under the custom folder \Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate.

  12. Reset Internet Information Services (IIS) using IIS Manager, or using the IISReset command line utility.