UAG and AD FS are Better Together - UAG as AD FS Proxy

In previous topologies (1 and 2) we did not expose AD FS server to the outside users as primary form of authentication. This topology will do this. One of the benefits of using UAG server in combination with AD FS is that it can now act as gateway or proxy server to the internal AD FS server, in fact UAG can now be configured as the relying party with AD FS server and accept SAML token for user authentication.

Figure 1 shows topology with AD FS acting as main authentication directory and providing access to internal claims based applications.

image

Figure 1

With this configuration UAG trunk is configured to use AD FS for authentication, it passes you all the way to the AD FS server, which challenges you for credentials, in this case it will prompt to provide username and password. AD FS issues security token to the user and it is presented for authentication to the UAG server. UAG server grants access to the UAG portal based on the security token issued from the trusted IDP STS – our internal AD FS server. Figure 2 shows how UAG trunk and published applications configured with different authentication providers.

image

Figure 2

When user tries to open published application, the user will obtain a new security token from the IDP STS, specific to this application.

Figure 3 shows authentication traffic to access the UAG portal and Figure 9 shows how user will access published claims based applications via UAG portal.

image

Figure 3

  1. The remote user attempts to access Forefront UAG portal. Since the UAG trunk is configured to use AD FS as its authentication provider, the Forefront UAG redirects the web browser request to the AD FS (IdP STS) server to authenticate the user. During this step, the IdP STS server might show the home realm discovery page to user (not shown in this diagram) on which he/she must choose the organization to which they belong; in this case, it would be Woodgrove Bank, but since this is a WebSSO configuration, the IDP STS will not show home realm discovery page. The IdP STS must authenticate the user. Depending on how it is configured, it might present user with AD FS Forms based authentication page or it might prompt with Windows authentication pop-up dialog box. The remote user provides credentials and authenticates using his/her own AD DS credentials.
  2. After successful authentication IdP STS creates security token with claims and it is transferred to the user.
  3. User is silently redirected and automatically authenticated to Forefront UAG using the security token created by the IdP STS server. User will see UAG portal with applications that this user is authorized to access. It is important to note, that authorization is done via claims and not via traditional windows security groups. In this configuration UAG did not authenticate the user against AD, it authenticated user solely based on the SAML token, and as such, the authorization decisions must be made based on the content of SAML token. Thankfully, Forefront UAG is smart enough to perform such authorization decisions.

After user authenticated to the portal he might decide to access published application, after all, why access the portal if not using applications?

image

Figure 4

  1. The remote user attempts to access the published claims based application using claims-based authentication in one of two ways, listed below. Regardless of the mechanism, target application will redirect the user to its trusted Resource Provider STS, in our case it is IdP STS.
    • By accessing the Forefront UAG portal and then clicking the published application (this is the follow up procedure to the previous diagram)
    • Or by accessing the published application directly using the alternate access mapping name (if application was published that way). If this is the case, the preceding steps in the previous diagram might take place as well, but user will not see the UAG portal, he will be taken straight to the published application.
  2. Forefront UAG redirects the web browser request to the IdP STS server to authenticate the user. Since user is already authenticated to IdP-STS when he authenticated to UAG portal, he will automatically re-authenticate to it with current session cookie.
  3. IdP STS creates security token with claims for published application and it is transferred to the user.
  4. User is silently redirected and automatically authenticated to the published site, after which the site appears.

By using UAG as the front end secure access point we are actually able to simplify AD FS infrastructure. In most situations, for Internet facing deployments, AD FS would deploy Federation Proxy server, which authenticates users on behalf of the internal AD FS server. With this configuration UAG server act as the front end gateway to the internal AD FS server and it is publishing AD FS authentication pipeline via its application publishing mechanism.

At this point it would be a good time to mention what type of UAG Portal features are not available if UAG trunk is configured as relying party to AD FS server. The first one is important to mention because it relates to the user password management. When UAG trunk is configured with AD authentication, it is capable to provide the following two important functions for our remote users:

  1. Password expiration notification. This is configurable on the trunk usually with 7 days threshold. If user password is about to expire, UAG will notify the user about it and allow to change it to a new password.
  2. Password change. After user authenticated to the UAG portal, he can always change password via this function. So if remote users are never come on site and they have no way to change their AD passwords via normal mechanism, then this is pretty much the only mechanism for self-password management.

With UAG trunk configured as relying party to AD FS, it never authenticates to AD. AD FS server authenticates user to AD and provides SAML token to UAG for authentication. UAG portal will never know if user password is about to expire and it is not capable to change user passwords because it is not configured with AD as authentication provider. Unfortunately, none of the password management functions provide via AD FS authentication, all it does, is authenticating the user. It will not notify the user about pending password expiration, nor does it provide the mechanism for password change. This is important limitation as it might affect overall design of your solution. If you must provide password management to your users, then you must publish UAG portal with AD as primary authentication provider.

There are other UAG features that are not available with AD FS authentication, here is a short list:

  • UAG supports only WS-Fed Passive profile
  • No Rich Applications publishing with AD FS authentication
  • Impact on Office Applications
  • Cannot publish applications installed on the AD FS 2.0 server
  • No HTTP to HTTPS redirection
  • No mobile device access on federated trunks