Deploying Forefront UAG with AD FS 2.0

Updated: July 31, 2012

Applies To: Unified Access Gateway

The following procedures describe the tasks required to configure Active Directory Federation Services (AD FS) 2.0 with Forefront Unified Access Gateway (UAG).

• Configuring an AD FS 2.0 authentication repository—On the Forefront UAG server, configure an AD FS 2.0 authentication repository.

• Creating a portal trunk for AD FS 2.0—On the Forefront UAG server, create an HTTPS portal trunk that uses the AD FS 2.0 authentication repository. The trunk is used when you want to use federated (claims-based) trunk authentication.

• Creating a relying party trust using Federation Metadata—On your organization’s federation server, create a relying party trust using federation metadata that was created automatically during Forefront UAG activation.

• Creating a rule to pass through or filter an incoming claim—On your organization’s federation server, create a rule to pass-through or filter incoming claims.

• Creating a rule to transform an incoming claim—On your organization’s federation server, create a rule to transform incoming name claims into different claims, if necessary.

• Optional deployment tasks—Describes the optional tasks that may be required depending on your topology and requirements.

• Verifying the deployment—Describes how to verify that your deployment was successful, including links to troubleshooting if it was not successful.

Important

When you use an AD FS 2.0 authentication server, end users that authenticate using the AD FS 2.0 server are automatically added to the Authenticated Users security group. End users that authenticate to Forefront UAG using AD FS 2.0 may not be members of your domain; therefore, you should not base your authorization scheme on the Authenticated Users group. Additionally, if you configure applications (including the log on pages and the portal) with no authorization scheme, only members of the Authenticated Users are able to access the application.