Customers are asking if publishing AD FS endpoints using Microsoft Forefront Unified Access Gateway (UAG) is supported when using federated identities in Office 365.
In order to answer that question we’ll need to touch on AD FS endpoints.
AD FS endpoints
AD FS endpoints are used to provide clients with access to federated applications. Endpoints will issue authentication tokens to clients, after successful client authentication. These endpoints are managed by the customer on their AD FS servers, and can be managed, secured and published individually through a proxy.
For accessing Office 365 online services, three distinct endpoints must be considered:
1. Passive Federation (WS-Fed Passive Profile):
- This endpoint is used by web clients, when accessing the following services:
- Office 365 portal
- SharePoint portals
- Outlook Web App
- Also applies to Office 2007 and Office 2010 (Excel, Word, PowerPoint) when opening documents from SharePoint Online.
- Web client (browsers) will directly authenticate with the AD FS server, through this endpoint
2. Active Federation (WS-Fed Active Profile):
- This endpoint is used by rich clients supporting AD FS:
- Office Subscription client
- Clients listed above will negotiate to authenticate directly with the AD FS server, through this endpoint.
3. Basic Authentication “Active”:
- This endpoint applies to all clients relying on a service to authenticate on-behalf of users, and thus authenticating with Basic Authentication (credential passed over Basic Authentication)
- This endpoint is used by:
- Exchange ActiveSync
- Outlook 2007 and Outlook 2010
- IMAP, POP and SMTP
- Exchange Web Services
- The client sends basic authentication credentials over SSL to Exchange Online. Exchange Online will proxy this authentication request to the customer’s AD FS server on behalf of the client, through this endpoint.
So – can I use Forefront UAG for publishing AD FS endpoints?
Using UAG for publishing ADFS 2.0 endpoints is a supported scenario, but it only supports the WS-Federation Passive protocol. As seen above rich clients like Lync require communication to the AD FS 2.0 server through Forefront UAG using the WS-Federation Active protocol, which is not supported by Forefront UAG. The sign-in assistant does not help in this scenario because Forefront UAG blocks any communication using the active protocol.
When using Forefront UAG for publishing ADFS 2.0 to provide access to your Office 365 deployment, your users can use only applications that use passive requests, such as web browsers, and they must also install the sign-in assistant. They cannot use rich client applications that use the active protocol.
- Identify yourself – one or two passwords?
- Publishing Claims Aware Web Applications via Unified Access Gateway (UAG) SP1
- Forefront UAG and ADFS: Better together
- Configuring an AD FS proxy replacement trunk
- Deploying federation with AD FS