Remote employee access using non-federated trunk authentication and federated application authentication

Updated: July 31, 2012

Applies To: Unified Access Gateway

This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote employees access claims-aware applications published by Forefront Unified Access Gateway (UAG). In this topology, remote employees authenticate to the Forefront UAG trunk using non-federated authentication, for example, forms-based authentication (FBA) or two-factor authentication, and to the published application using federated authentication. This topology enables you to provide strong authentication to the Forefront UAG trunk that publishes a claims-aware application.

• Topology Description

• Sign-in flow

• Deployment tasks

Topology Description

The following diagram shows the main components in the system.

In this topology:

• A separate Active Directory Domain Services (AD DS) server is used within the corporation; however, you can configure AD FS 2.0 to run on your AD DS server.

• The claims-aware web application is configured as a relying party of the corporate AD FS 2.0 server using the external URL.

Sign-in flow

When remote employees attempt to access the published application, the following simplified flow occurs:

• Remote employees go to the Forefront UAG portal and authenticate against the AD DS server using FBA, or some other non-federated authentication method.

• The remote employee clicks the link to the published application in the portal.

• The application redirects the web browser request to the AD FS 2.0 server (Resource Federation server) to authenticate the user.

• The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, their own organization.

• The Resource Federation server sends an HTML 401 response. Forefront UAG is able to provide a single sign-on (SSO) experience for the user by answering the 401 response with the credentials previously entered by the user.

  Note

  SSO works only when you use Forefront UAG to publish the AD FS 2.0 server.

• The Resource Federation server provides a security token (containing a set of claims) to the user. The user is redirected to the application and the user’s security token is presented to the application and the application appears.

  Note

  JavaScript must be enabled on the client browser.

• After the first successful connection to the application, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.

Deployment tasks

To deploy this topology, complete the following tasks:

• Configure non-federated trunk authentication. See Implementing frontend authentication.

• Configuring an AD FS 2.0 authentication repository

• Creating a rule to pass through or filter an incoming claim

• Creating a rule to transform an incoming claim

• Publish your application using the AD FS 2.0 authentication repository. See Adding applications to a trunk.