Why deploy Forefront UAG with AD FS 2.0?

Updated: July 31, 2012

Applies To: Unified Access Gateway

This topic describes the benefits of deploying Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0.

  • General benefits—AD FS 2.0 provides the following benefits to your organization:

    • Enables organizations to collaborate securely across Active Directory domains by using identity federation.

    • Reduces the need for duplicate accounts and other credential management overhead by enabling federated single sign on (SSO) across organizations, platforms, and applications.

    • Provides identity delegation so that authorized applications can impersonate their users when they access infrastructure services, even when the original users do not have local accounts.

  • Single sign on—The process of authenticating to one network while accessing resources in another network without the burden of repeated logon actions by users, is known as SSO. AD FS provides a web-based, SSO solution that authenticates users to multiple web applications over the life of a single browser session. When you deploy Forefront UAG with AD FS, Forefront UAG relies on the AD FS infrastructure to provide SSO for claims-aware applications.

  • AD FS proxy—In an AD FS deployment, to avoid placing the AD FS server directly on the Internet, you can use an AD FS proxy which enables you to keep your AD FS server within your protected corporate network. However, you must make your AD FS 2.0 server available to external users. It is recommended to deploy a federation server proxy using the AD FS 2.0 Federation Server Proxy Configuration Wizard to make your AD FS 2.0 server available to external users. Forefront UAG can also provide AD FS proxy functionality and provide protection for published applications, in which case, you must manually publish the AD FS 2.0 server via Forefront UAG.


    If you want to use AD FS for authentication to your other applications, they must be configured such that they are accessible from the Internet. If your deployment requires you to provide external access to only the AD FS 2.0 server, it is recommended that you use the federation server proxy and do not use Forefront UAG.

    For information about known issues and limitations when using Forefront UAG as an AD FS proxy, see Known issues and limitations.

  • AD FS multi-namespace support—Multi-namespace support is a new feature for Forefront UAG SP2. It allows you to use a single AD FS 2.0 server with multiple Forefront UAG trunks when the FQDNs (the public host names) of the Forefront UAG trunks are in different domains.

    For example, the FQDN of the first trunk is portal.contoso.com and the FQDN of the second trunk is portal.fabrikam.com. Both trunks can be configured to perform AD FS authentication using the same AD FS 2.0 server: sts.contoso.com. In this type of deployment, the AD FS 2.0 server is published through one of the Forefront UAG trunks, or by an AD FS proxy that is parallel to Forefront UAG.

  • AD FS single sign-out—AD FS 2.0 and Forefront UAG provide a single sign-out experience for end users. When users sign out from the Forefront UAG portal, they are also signed out from all applications in all Forefront UAG trunks that rely on the authenticating federation server. Similarly, when users sign out from an application, they are also signed out from the Forefront UAG portal and any other applications that use the same authenticating federation server.


    When users sign out from Forefront UAG, they may also be signed out from applications that are not published by Forefront UAG.


    Since Forefront UAG works only with the WS-Federation Passive protocol, it is not possible to ensure that single sign-out occurs. For example, if users close their browser instead of signing out, single sign-out may not occur.