none
UAG with ADFS and FIM for external users RRS feed

  • Question

  • Hi,

    I have been looking into using a combination of UAG with ADFS 2.0 and FIM v2 for secure external SharePoint collaboration.

    The requirement would be for a company to share out a resource, like sharepoint, to external users ( few business partners, but they don't have ADFS in their environment. That's why we would like to use FIM v2 for user account management). SharePoint would be 'published' by UAG securely.

    One thing I wanted to do was tie in ADFS to this setup for SSO capabilities as well as more secure method of collaboration, allowing external users to create accounts and change their passwords within gateway domain in DMZ. I believe FIM is capable of doing this. My questions are:

    Since you need to perform a federated trust between the two organizations for ADFS to work properly, can UAG still sit in the middle between the two ADFS servers and act as the proxy?

    what about the external URL that needs to be put in place for SharePoint access? Would I create a portal for both SharePoint AND the ADFS trunk?

    I have checked "AD FS and UAG are Better Together–Example of a real Solution" blog post at http://blogs.technet.com/b/dmitrii/archive/2011/10/29/ad-fs-and-uag-are-better-together-example-of-a-real-solution.aspx

    Do we need 2 separate UAG servers ( one with internet facing, and other with Intranet facing) or can we design with 1 UAG server?

    We have split DNS and can have same URL for internet as well as Intranet. Where do we need to put SharePoint 2010 server ( Claims based authentication) and FIM servers? As we will have only external users with accounts registered in the Gateway AD with FIM, and don't have any federated users, how many trunks we need to create?

    Thanks in advance for your help in designing UAG with ADFS v2 and FIM v2


    Tek-Nerd

    Wednesday, March 21, 2012 6:13 PM

All replies

  • No replies so far....If i don't want to install additional domain and ADFS in DMZ to maintain external user accounts, is there any best method to publish SharePoint 2010 through UAG with limited access to authenticated users like SQL authentication...?


    Tek-Nerd

    Wednesday, March 28, 2012 1:37 PM
  • no reply so far because this kind of design is rather complex and rare.  I am currently working on implementing the same design of UAG-ADFS-FIM environment like what you had described above.

    Here is what I can say about your questions:

    Since you need to perform a federated trust between the two organizations for ADFS to work properly, can UAG still sit in the middle between the two ADFS servers and act as the proxy?

    The answer for this is absolutely NO.  UAG cannot sit in the middle of two ADFS servers.  It can only sit in the middle of ONE and act as a proxy for it  (assuming each of your ADFS belong to  different AD Forests).  (Spent about 30 hours with Microsoft Premier support to get that answer).

    Do we need 2 separate UAG servers ( one with internet facing, and other with Intranet facing) or can we design with 1 UAG server?

    The answer for this is you need one UAG and one ADFS Proxy if you want all users to access a single portal.  See the link below for for example

    http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/08/16/provide-access-to-your-partner-on-your-uag-portal-with-adfs-2-0.aspx

    • Proposed as answer by Jesper Arnecke Monday, October 14, 2013 8:14 AM
    • Unproposed as answer by Jesper Arnecke Monday, October 14, 2013 8:14 AM
    Wednesday, October 9, 2013 5:26 PM
  • Hiya,

    Just to break it up so it becomes a lot more transparent what your doing. The setup becomes complex because there is a lack of understanding.

    Comments:

    C1: ADFS allows authentication using identities from different domains. In this case UAG needs to be a member of one of the domains, in order to use any federation from any of the ADFS servers. For this setup, I would install the UAG within the internal domain.

    C2: You can design it with one UAG server to handle both. You might need separate Trunks tho. Depending on how you want to handle your internal users.

    C3: Your solution is basically:
    a: Provide "public" access to your Intranet. (Done using UAG)
    b: Provide external users access to your Intranet(Making it an Extranet) (Done using UAG and ADFS)
    c: Provide SSO for all users. (Done using UAG, ADFS and AD)
    d: Use FIM for identity Management. (Done using UAG)

    You publish FIM through UAG. web is published using Sharepoint if I remember correct. So most functionality should work using default UAG rules.

    You probably need two or three Trunks for this:
    First trunk: External Users, setup with ADFS.
    Second trunk: Accessing FIM Services. Probably needs anonymous access to some extent for Self-Service components.
    (Third) trunk: Internal Users, setup with internal AD.

    Note: I can't remember if UAG can handle more than one type logon server per trunk. (I don't think so)

    I would approach this project in two or three steps. (a+c) and/or (b+c) and (d) 

    I'm not sure if that aids your concerns?


    Monday, October 14, 2013 8:47 AM