locked
UAG not passing claims to SharePoint RRS feed

  • Question

  • We are using ADFS 2.0 with UAG SP1 to protect a SharePoint site.  We have successfully tested claims based authentication between ADFS & Sharepoint.  Now we are trying to put the pieces behind the UAG.  We can successfully authenticate using ADFS through the UAG but when we attempt to go the the SharePoint site from the UAG Portal no claims are passed and SharePoint then redirects over to ADFS where the initial login form is again displayed.  In looking at the flow in fiddler I can see that the initial authentication from ADFS sent a SAML response to the UAG which allowed access to the UAG Portal.  But nothing is passed to SharePoint.  I've missed something in configuring UAG/ADFS/SharePoint but what?  Any suggestions would be appreciated.
    Thursday, May 19, 2011 3:47 PM

Answers

  • Hi Rakesh,

     

    1) UAG -> ADFS Server

        ADFS is defined as an authentication Server in the UAG.  On the trunk you select the ADFS Authentication Server and SSO as the authentication mechanism.  This means that the UAG delegates the authentication process ADFS.  A user is first authentication to the UAG trunk via ADFS.

     

    2) UAG and Sharepoint 2010 CBA application & 3) Sharepoint CBA to ADFS 2.0 server

        When an authenticated user attempts to access an SP CBA application (assuming that is published in the same trunk as above) the SP's Secure Token Service (STS) contacts ADFS (assuming that it has been configured as the Trusted Token Issuer) via the UAG.  ADFS returns the claims (assuming that it has been configured with the appropriate claim rules) to the STS which turns them into claims for use by the SP CBA.

     

    hope that helps

    mike

    • Marked as answer by Erez Benari Saturday, August 27, 2011 12:02 AM
    Wednesday, June 15, 2011 9:32 PM

All replies

  • I figured out what was wrong in our setup.  We had two issues that needed correction.  First one was that for some reason when the authenticated user hit the SharePoint portal from the UAG the STS responded from the default zone even though the UAG was pointing the https site.  The default zone was accessing ADFS via a back channel which was used for earlier testing.  Once I changed the default zone to use the appropriate access path to ADFS via the UAG the item needed correction.  In our ADFS setup the SharePoint URN was incorrectly associated with the UAG relying party instead of the SharePoint relying party.  After correcting that issue access to SharePoint portal was allowed via the claims that were passed from ADFS.  We're also using an external claims provider in ADFS which just adds to the mix.
    Thursday, May 26, 2011 2:46 PM
  • Hi Michael,

    We have deployed the same setup as you did. I have some problems from UAG to Sharepoint 2010. Can you please suggest me how to proceed here?. I will try to explain our scenario.

    We  have setup 
    ADFS 2.0 server farm.
    UAG SP1
    Sharepoint 2010

     

    1) I have configured the portal trunk as a relying party in the ADFS 2.0 server.

    2) I have created a sharepoint 2010 claims-aware application and added this application to portal trunk.

    3) I could hit the portal trunk url and this is redirected to ADFS login page where i pass in my credentials. ADFS is authenticating me against Active Directory and then my request is redirected portal application with saml token. Now i can see "Sharepoint 2010 application" in the list. 

    My questioin is:

    how can i configure the Sharepoint application to use claims based authentication with SAML token?

    Do i have to configure the Sharepoint app with ADFS 2.0 server?

    Please any suggestion will be appriciated.

    Thanks in advance

    /RAkesh

     

    Wednesday, June 1, 2011 12:09 PM
  • Hi Rakesh,

     

    Yes you do need to configure your SharePoint app as a relying party in ADFS.  What happens is this.  the first time you are authenticated to the UAG via ADFS where the UAG is the relying party.  Now that you are authenticated when you try to access your Sharepoint portal it redirects to ADFS via the UAG for claims.  This assumes that you have set up the SharePoint portal as a claims aware application and that you have defined ADFS in your SharePoint STS (using the published url that is configured on the UAG) as the claim provider. 

     

    Hope that helps

    mike

    • Proposed as answer by Ran [MSFT] Monday, June 6, 2011 7:28 AM
    Wednesday, June 1, 2011 3:55 PM
  • Hi Mike,

    I am bit confused here. Please can you explain me the flow scenario between

    1) UAG and ADFS server

    2) UAG and Sharepoint 2010 CBA application

    3) Sharepoint CBA to ADFS 2.0 server

    Thanks in advance.

    /Rakesh

    Tuesday, June 7, 2011 2:20 PM
  • Hi Rakesh,

     

    1) UAG -> ADFS Server

        ADFS is defined as an authentication Server in the UAG.  On the trunk you select the ADFS Authentication Server and SSO as the authentication mechanism.  This means that the UAG delegates the authentication process ADFS.  A user is first authentication to the UAG trunk via ADFS.

     

    2) UAG and Sharepoint 2010 CBA application & 3) Sharepoint CBA to ADFS 2.0 server

        When an authenticated user attempts to access an SP CBA application (assuming that is published in the same trunk as above) the SP's Secure Token Service (STS) contacts ADFS (assuming that it has been configured as the Trusted Token Issuer) via the UAG.  ADFS returns the claims (assuming that it has been configured with the appropriate claim rules) to the STS which turns them into claims for use by the SP CBA.

     

    hope that helps

    mike

    • Marked as answer by Erez Benari Saturday, August 27, 2011 12:02 AM
    Wednesday, June 15, 2011 9:32 PM