Provide access to your Partner on your UAG Portal with ADFS 2.0

forefrontsecurity — Tue, 16 Aug 2011 07:58:00 GMT

Hi,

As Hicham already demonstrate, you can add Claims Provider Trust on your Federation Server. His example is a Federation with Azure services, but you can do the same with a Federation Partner. Have a look at this article : http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/08/05/authenticating-to-your-network-through-your-online-credentials.aspx

Let’s assume that the Labiam Corporation wants to allow access on his UAG Portal to the UAG.com company. Both have a Federation Service.

As you can see on the above schema, we have to create a Claims Provider Trust on the LABIAM Federation Server, and add this Federation Server as a Trusted relying Party on the UAG.com Federation Server.

With the FederationMetadata URL, it is easy to add this provider

Add the necessary claims to the Provider (Windows Account Name, Role …)

On the other side, create the Relying Party Trust, and accept the required claims.

Now, when a user access the UAG Portal, he can choose his repository, and your Partner can access your publications.

Then you can filter the access to specific application, using the Role Type of Claims (developed in a previous article : http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/08/16/ad-fs-2-0-and-uag-set-authorization-on-application-in-uag-based-on-claims-roles.aspx)

AD FS is a very great feature. No matter Network considerations, Active Directory Trust Relationships, just use HTTP(s) Exchange to Federate your Business Partners.

Published by Olivier DETILLEUX

AD FS 2.0 and UAG : Set authorization on application in UAG based on Claims Roles

forefrontsecurity — Tue, 16 Aug 2011 07:12:57 GMT

Hi all,

AD FS 2.0 provide transparent authentication on the UAG Portal. Hicham and I have already deal with this great feature. Today, I will show how we can set authorization, based on claims, on the application published through UAG.

With the regular Form Based Authentication against an Active Directory, it is easy to set authorization for an application :

But with an ADFS authentication, how can we query Active Directory groups ? We have to enrich (add additional claims value) the SAML2 ticket with this information.

To achieve that, it is pretty simple.

Let’s assume that only the GGS_Director group can access the web application “Application”, and that James Kirk, as the Enterprise Director, is a member of this Active Directory group :

To add claims value in a SAML ticket, we must ask the Claims Provider to search the value in Active Directory, and send this value to the Relying Party.

On the Claims Provider (Active Directory), add a claims as a Role. In our case : If the user is a member of the GGS_Director group, then a GGS_Director as Role :

For the relying party, just pass through this value

On the UAG Side, specify that only Owner of the GGS_Director Role can access the application.

Now, when James open the portal, he can see the application, as Janice Rand cannot.

Easy, isn’t it ?

But you can say that it is not very convenient, if we must define a rule for each group.

You can also create a custom rule that query the Active Directory to return all groups that a user is directly member of.

Published by Olivier DETILLEUX

Forefront Security at myITForum : claims, ADFS V2

Provide access to your Partner on your UAG Portal with ADFS 2.0

AD FS 2.0 and UAG : Set authorization on application in UAG based on Claims Roles