none
SSO without the UAG Portal in the way... RRS feed

  • Question

  • Hi folks - we'd like to use UAG as a reverse proxy for SSO, however we don't want to see the portal.  We want the ability to point to an existing web app with a browser, enter in a credential (or use Kerb desktop authN) have the reverse proxy intercept, then relay such that the initial credential is mapped to a proxy protected credential store or web app directory and access be granted.  This is essentially how Tivoli web seal does it, it authenticates on the back end for you.  But I don't have to look at a portal, its all transparent. Is there a way to do this with UAG?

    Friday, November 2, 2012 4:59 PM

All replies

  • From your description it sorta sounds like you intend to have a reverse proxy behind UAG.  I believe this architecture is not supported by Microsoft unfortunately.

    If not - you can always remove the portal application and just map applications to the trunks, you will just have to use the application specific host name template to publish them.  As for SSO, I'm not sure what your reverse proxy requirements are but if you enable trunk level authentication, the user's credentials can be passed back directly to backend applications.  When other applications are accessed on the same trunk the users authenticated to originally, UAG should re submit their credentials and the user will not have to log on.  I remember reading a blog one time showing that you can even perform intra trunk SSO!


    Friday, November 2, 2012 7:41 PM
  • You can publish applications as application-specific hostname applications which may achieve the non-portal approach you are looking for: http://blogs.technet.com/b/edgeaccessblog/archive/2010/01/15/what-happened-to-basic-and-webmail-trunks.aspx

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, November 5, 2012 11:59 AM
    Moderator