In the last two posts on this subject I showed to you how to use UAG with Forms Based Authentication and as ADFS Proxy. Todays demonstration shows how to use it with Strong Authentication – Certificate Authentication. The topology in this configuration is very similar to the FBA topology, but it requires additional configuration on the UAG to require certificate authentication and we have to utilize Kerberos Constrained Delegation to access ADFS server. KCD is required because when user authenticates to the UAG portal, he never provides his UserID/Password, so if we want to have SSO then UAG must be able to impersonate user by using KCD, and provide Kerberos ticket on the behalf of the user to the AD FS server.
In the previous post I showed to you how UAG can be used with ADFS to publish Claims aware application and provide single sign-on into such applications along with traditional applications which require UserID/password. In that demonstration UAG was configured with Form Based Authentication (FBA) and user was authenticating to UAG before they could get access to actual applications.
Today’s demonstration shows a different UAG/ADFS topology, with UAG configured as ADFS proxy is exposes ADFS server for authentication and then it can provide you with UAG portal or directly route to the target application.
More and more companies wish to provide secure access to their applications from external locations. At the same time, many of these applications starting to adopt new authentication technologies, for example, like Claims based authentication. The following demonstration shows how companies can use Forefront UAG 2010 and AD FS 2.0 to provide secure access to different types of internal applications, all published via single unified portal and providing Single Sign-On experience to their users.
The solution in this demonstration shows UAG implemented to use FBA as main authentication mechanism and it ability to access Claims based applications.