locked
UAG - Just application firewall ? RRS feed

  • Question

  • hey there,

    Except being application firewall and SSO provider (in same domain as I saw until now..) , can UAG provide me SSO to users from domain A to resources in domain B (where UAG sits).
    I want to use some "Shadow Account" that will be mapped from domain A to shadow accounts in domain B and use them (the shadows in B) to authenticate to applications in my domain (domain B)...

    this can be established by using ADFS and NT Tokens... it can be establish in UAG too ?

    Thank you !
    Tuesday, October 27, 2009 1:49 PM

Answers

  • In theory (havent tried it)... you have two scenarios.
    1: User has presented Uid+Pwd and Pwd is in synch between two stores
    You set up UAG to Authenticate using one store and Delegate using the other.
    This would give you "SSO" like behaviour.

    2: User do not present Pwd, only Uid or Pwd is not synched, and Uid is the same in the two stores.
    If UAG is in the same domain as the resource you can use Kerberos delegation.
    UAG auths against Domain A, but delegates using KCD and the account in Domain B

    As i said this is theory and not verfied in practice, but please let us know if you do some practice on this and find some holes in this theory.
    • Marked as answer by Erez Benari Tuesday, October 27, 2009 9:12 PM
    Tuesday, October 27, 2009 6:48 PM

All replies

  • In theory (havent tried it)... you have two scenarios.
    1: User has presented Uid+Pwd and Pwd is in synch between two stores
    You set up UAG to Authenticate using one store and Delegate using the other.
    This would give you "SSO" like behaviour.

    2: User do not present Pwd, only Uid or Pwd is not synched, and Uid is the same in the two stores.
    If UAG is in the same domain as the resource you can use Kerberos delegation.
    UAG auths against Domain A, but delegates using KCD and the account in Domain B

    As i said this is theory and not verfied in practice, but please let us know if you do some practice on this and find some holes in this theory.
    • Marked as answer by Erez Benari Tuesday, October 27, 2009 9:12 PM
    Tuesday, October 27, 2009 6:48 PM
  • First, Thank you.

    the sAMAccountName going to be the same in both domains so I'll try to map by this way.
    I must authenticate the users whichc loging in domain A (in domain A) before I let them use resources in domain B.


    anyway, I'll try one of the scenarios.
    thank you again.
    Tuesday, October 27, 2009 8:02 PM