locked
SharePoint 2010, ADFS 2.0, ForeFront UAG and Claims Based Authentication RRS feed

  • Question

  • We are using ADFS 2.0 with UAG SP1 to protect a SharePoint site.  We have successfully tested claims based authentication between ADFS & Sharepoint.  Now we are trying to put the pieces behind the UAG.  We can successfully authenticate using ADFS to the UAG but when we attempt to go the the SharePoint site from the UAG Portal no claims are passed and SharePoint then redirects over to ADFS where the initial login form is again displayed.  In looking at the flow in fiddler I can see that the initial authentication from ADFS sent a SAML response to the UAG which allowed access to the UAG Portal.  But nothing is passed to SharePoint.  I've missed something in configuring UAG/ADFS/SharePoint but what?  Has anyone successfully implemented CBA with the UAG and SharePoint 2010?  Any suggestions would be appreciated.  I have also posted this question in the ForeFront forums. 
    Thursday, May 19, 2011 9:32 PM

Answers

  • Thanks Rock for the response.  I figured out what was wrong in our setup.  We had two issues that needed correction.  First one was that for some reason when the authenticated user hit the SharePoint portal from the UAG the STS responded from the default zone even though the UAG was pointing the https site.  The default zone was accessing ADFS via a back channel which was used for earlier testing.  Once I changed the default zone to use the appropriate access path to ADFS via the UAG the item needed correction.  In our ADFS setup the SharePoint URN was incorrectly associated with the UAG relying party instead of the SharePoint relying party.  After correcting that issue access to SharePoint portal was allowed via the claims that were passed from ADFS.  We're also using an external claims provider in ADFS which just adds to the mix.
    Thursday, May 26, 2011 2:46 PM

All replies

  • Hi Michael,

     

    Did you apply Microsoft Unified Access Gateway (UAG) 2010 Service Pack 1 (SP1)? If you are using Microsoft Unified Access Gateway (UAG) 2010 with Service Pack 1 (SP1) installed, you should be aware of additional capabilities that were added in UAG SP1 that you should be aware of:

     

    UAG SP1 adds support for Active Directory Federated Services Version 2.0 (ADFS 2.0), and UAG is a claims-aware relying party that now supports publishing with claims-based authentication. (Partner access using single sign-on to applications or to servers running SharePoint Server and that are not claims-aware is still supported.)

     

    UAG SP1 adds claims-based authorization. For example: If a user has a claims role, UAG can allow or deny the user's access based on the value of the claim. These rules are set through policy in UAG and are mapped to roles in ADFS.

     

    Note:  These claims-based authorization rules can only be used when UAG is a relying party of ADFS.

     

    For more information about Forefront Unified Access Gateway (UAG) 2010, please refer to the following article:

     

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=980ff09f-2d5e-4299-9218-8b3cab8ef77a

     

    Thanks,

    Rock Wang


    Regards, Rock Wang Microsoft Online Community Support
    Thursday, May 26, 2011 6:54 AM
  • Thanks Rock for the response.  I figured out what was wrong in our setup.  We had two issues that needed correction.  First one was that for some reason when the authenticated user hit the SharePoint portal from the UAG the STS responded from the default zone even though the UAG was pointing the https site.  The default zone was accessing ADFS via a back channel which was used for earlier testing.  Once I changed the default zone to use the appropriate access path to ADFS via the UAG the item needed correction.  In our ADFS setup the SharePoint URN was incorrectly associated with the UAG relying party instead of the SharePoint relying party.  After correcting that issue access to SharePoint portal was allowed via the claims that were passed from ADFS.  We're also using an external claims provider in ADFS which just adds to the mix.
    Thursday, May 26, 2011 2:46 PM