Remote partner employee access using claims
Updated: July 31, 2012
Applies To: Unified Access Gateway
This topic describes the Active Directory Federation Services (AD FS) 2.0 topology when remote partner employees access applications published by the resource organization using claims-based authentication. This topology should be used when your organization is the partner organization and your remote employees (remote partner employees from the viewpoint of the resource organization) require access to the resources published by the resource organization. This topology enables you to provide strong authentication to your AD FS 2.0 server, and to provide anywhere access for partner employees.
Topology description
Sign-in flow
Deployment tasks
Topology description
The following diagram shows the main components in the system.
In this topology:
The server running SharePoint Products and Technologies in the resource organization is configured to trust the Resource Federation server.
The resource federation server is configured to trust the partner AD FS 2.0 server (Account Federation server). This trust is a federated trust, not a domain trust.
The Account Federation server has been published as an application through Forefront UAG.
The resource organization may also use Forefront UAG to publish applications and the AD FS 2.0 server; however, it is not shown here to simplify the diagram.
Sign-in flow
When users from the partner organization attempt to access the published SharePoint application, the following simplified flow occurs:
The remote partner users attempt to access the published SharePoint application using claims-based authentication.
The SharePoint server redirects the web browser request to the Resource Federation server to authenticate the user.
The Resource Federation server shows the home realm discovery page to users on which they must choose the organization to which they belong; in this case, the partner organization.
The Resource Federation server redirects the web browser request to the Account Federation server.
Forefront UAG intercepts the redirection to the Account Federation server and instead redirects the web browser to the Forefront UAG login page.
Users log in to Forefront UAG using a non-federated authentication method, for example, FBA or two-factor authentication.
Forefront UAG redirects the web browser request to the Account Federation server, which provides users with a security token.
Users are redirected to the Resource Federation server, which provides users with a security token from the application and also redirects users to the application, which now allows access to the users.
Note
JavaScript must be enabled on the client browser.
After the first successful connection to the SharePoint site, the Resource Federation server stores a cookie on the user’s computer. The cookie is stored by default for 30 days; the duration is configurable in the web.config file on the Resource Federation server. During this time, users are not required to answer identification questions on the home realm discovery page; that is, choosing the organization to which they belong.
Deployment tasks
To deploy this topology, complete the following tasks:
Configure non-federated trunk authentication. See Implementing frontend authentication.