Implementing cross-site single sign-on
Updated: February 1, 2011
Applies To: Unified Access Gateway
Forefront Unified Access Gateway (UAG) provides cross-site single sign-on that allows users who log into one Forefront UAG site to access additional Forefront UAG sites without having to re-authenticate. Users input credentials the first time that they access a site that is included in the single sign-on list. Then can then open a second session (by opening a new tab in Internet Explorer, or typing the new site URL in the navigation bar of an existing browser, to connect to another Forefront UAG trunk defined included in the single sign-on list. They can then access this trunk site without providing credentials again.
Note the following before implementing cross-site single sign-on:
All trunks in the cross-site single sign-on list must share the same authentication settings. The must all use the same authentication server or servers for session authentication to the trunk.
The public host name (FQDN) of all trunks in the cross-site list must belong to the same domain. For example *.contoso.com.
Cross-site single sign-on cannot be used when user authentication is implemented with Kerberos constrained delegation, client certification authentication, or AD FS.
Authentication is performed as follows:
User authentication prompts are triggered as follows:
For session authentication—During the initial logon, or after a scheduled logoff
For application authentication—When the setting Use single sign-on to send credentials to published applications is enabled fro the application (indicating that session credentials should be forwarded to backend Web servers), and either credentials were not specified by the user, or the user has view authorization permissions for the application.
Forefront UAG validates the session credentials against the authentication server. If the user needs to input additional information, for example to enter a new PIN, they are prompted to continue to enter all required authentication information.
If the authentication fails, the user is prompted to retry until the permitted limit for the number of re-authentication attempts is reached. If the number of attempts is exceeded then logon fails, and the user must log off the site and attempt to log on again. This begins a new authentication process.
Configuring cross-site single sign-on
Configure cross-site single sign-on as follows:
To configure cross-site single sign-on
For one of the trunks that will be included in the cross-site SSO list, open the
CustomUpdatefolder in the following location:
\Microsoft Forefront Unified Access Gateway\Von\Conf\WebSites\<Trunk_Name
CustomUpdatefolder does not exist, create it.
WFEList.xmlfile does not already exist in the
CustomUpdatefolder, copy the file from the trunk's
Conffolder to the
If the file exists, use the existing file.
At the end of the
CustomUpdatefolder, add the following line:
<DLL active="1" dll_name="WhlFiltSSO.dll"/>
Copy the following file into the trunk's
Conf\CustomUpdatefolder (the folder you accessed in step 1):
\Microsoft Forefront Unified Access Gateway\Von\Conf\WhlFiltSSO.ini
Edit the file you copied in step 4, changing the Domain and Key fields to the following:
Domain: domain to which the trunk belongs
Key: free-text, used for encryption
Repeat steps 1 through 5 for each of the trunks that are part of the cross-site SSO.
Access the following custom folder:
\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate
If this folder does not exist, create it.
Copy the following file into the custom folder:
\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples\site_sso.inc
Edit the file you copied in step 7, as follows:
WHL_KEY: key you entered in step 5
SSO_COOKIE_DOMAIN: domain you entered in step 5
Rename the file you edited in step 9, as follows:
>sso.incis the name of one of the trunks that is part of the SSO.
Regardless of the trunk type of the SSO sites (HTTP Connections or HTTPS Connections), the file is named
Repeat step 10 for each of the trunks that are part of the SSO, by copying and renaming the file as many times as required, so that each SSO trunk has one
>sso.incfile under the custom folder
\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate.
Reset Internet Information Services (IIS) using IIS Manager, or using the IISReset command line utility.