Creating and managing the AD FS 2.0 application
Updated: July 31, 2012
Applies To: Unified Access Gateway
When you use the Remote partner employee access using claims topology, your employees may need to access applications published by a resource organization. In this topology, your organization is the partner organization and your employees are the partner employees. In this topology, if you are not using a federation server proxy, you can use Forefront Unified Access Gateway (UAG) to publish your Active Directory Federation Services (AD FS) 2.0 server as a Forefront UAG application.
To publish an AD FS 2.0 application
In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.
In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Active Directory Federation Services 2.0.
On the Configure Application page, enter an application name.
On the Select Endpoint Policies page, select the endpoint policies that you want to apply when accessing your AD FS 2.0 application.
On the Deploying an Application page, click Configure an application server.
On the Web Servers page, do the following:
In the Addresses box, enter the internal host name of the AD FS 2.0 server.
In the Public host name box, enter the public URL of the AD FS 2.0 server.
The public URL and the internal host name of the AD FS 2.0 server must be identical.
In the HTTPS port box, use the default port of 443.
On the Authentication page, if you want to use single sign-on (SSO), select the Use SSO check box, and then select the authentication server that you want to use for SSO.
On the Portal Link page of the wizard, do not make any changes.
When you complete the wizard, click Finish.
The Add Application Wizard closes, and the application that you defined appears in the Applications area of the Configuration section.
Activate the configuration.
When you create the AD FS 2.0 application manually it uses default paths. Make sure that these default paths cover everything that you need to publish and that they correspond with the AD FS 2.0 server configuration.
Managing the AD FS 2.0 application
When you publish an AD FS 2.0 server application for frontend authentication, Forefront UAG automatically enables pass-through for the AD FS 2.0 application; that is, that end users authenticate to the AD FS 2.0 repository when accessing the Forefront UAG trunk. You should not change this setting.
When you publish the AD FS 2.0 application manually, you can decide if you want to allow unauthenticated access to the application. It is not recommended to allow unauthenticated access to the AD FS 2.0 application when the application is used only as a standalone application.
To allow unauthenticated access to the AD FS 2.0 application
In the Forefront UAG Management console, click the trunk through which the AD FS 2.0 application is published. In the Applications list, click the AD FS 2.0 application, and then click Edit.
On the Application Properties dialog box, click the Authentication tab.
To allow unauthenticated access to the AD FS 2.0 application, select the Allow unauthenticated access to web server check box.
If you select this check box, any authorization rules that you configured for the AD FS 2.0 application are ignored.
Activate the configuration.