locked
uag service pack2 and ADFS authentication scenario's RRS feed

  • Question

  • Hi All,

    For a customer we are implementing UAG with ADFS 2.0. They have 2 types of applications in the cloud, one that requires 1-factor authentication and one that requires 2-factor authentication. On UAG we created a trunk for ADFS (sts.company.com) with a non-federated authentication (2-factor) configuration. The applications in the cloud redirect the user to the UAG trunk sts.company.com and the user has to authenticate with 2-factor authentication.

    Is it possible to make a configuration where a redirection from application 1 results in a 1-factor authentication and a redirection from application 2 results in a 2-factor authentication on UAG?

    In Service pack 2 for UAG there is multi-namespace support for ADFS enabled. Does this mean we can create 2 trunks on UAG, one for 1-factor authentication (sts1.company.com) and one for 2-factor authentication (sts2.company.com) that redirect to the same ADFS instance?

    Also an improvemend for ADFS 2.0 in UAG Service pack 2 is:Use the ADFS Proxy to publish the ADFS 2.0 server. What does this mean, don't use UAG as an ADFS proxy anymore....???? Is that an improvement in UAG SP2?!

    Below the text provided by Microsoft for UAG service pack 2.

    Improved Active Directory Federation Services 2.0 support

    You can provide remote and partner employees with access to published applications that have AD FS 2.0 enabled. For example, you can do the following:
    • Use AD FS multi-namespace support: Multi-namespace support for AD FS 2.0 lets you use a single AD FS 2.0 server that has multiple Forefront UAG trunks when the fully qualified domain names (FQDNs or public host names) of the trunks are in different domains. For example, the FQDN of the first trunk is portal.contoso.com, and the FQDN of the second trunk is portal.fabrikam.com. Both trunks can be configured to perform AD FS authentication by using the same AD FS 2.0 server (sts.contoso.com). In this kind of deployment, the AD FS 2.0 server is published through one of the Forefront UAG trunks or by an AD FS proxy that is parallel to Forefront UAG.
    • Use the AD FS proxy to publish the AD FS 2.0 server: Publishing the AD FS 2.0 server by an AD FS proxy has many advantages over publishing the AD FS 2.0 server through Forefront UAG. These advantages include support for Office 365 authentication and mobile devices.

    Regards,

    Maikel

    Tuesday, September 4, 2012 11:59 AM

All replies

  • Hi Maikel

    I am looking into the same scenario. Did you found any authentication scenarios using ADFS 2.0 and UAG SP2?. Please let me know if you know of something.

    Thanks in advance

    /Rocky

    Sunday, October 14, 2012 1:05 PM