Secure Application Access by using AD FS and UAG – Strong Authentication
In the last two posts on this subject I showed to you how to use UAG with Forms Based Authentication and as ADFS Proxy. Todays demonstration shows how to use it with Strong Authentication – Certificate Authentication. The topology in this configuration is very similar to the FBA topology, but it requires additional configuration on the UAG to require certificate authentication and we have to utilize Kerberos Constrained Delegation to access ADFS server. KCD is required because when user authenticates to the UAG portal, he never provides his UserID/Password, so if we want to have SSO then UAG must be able to impersonate user by using KCD, and provide Kerberos ticket on the behalf of the user to the AD FS server.
This demonstration was created to satisfy the following requirements for our fictitious Woodgrove Bank Corp:
- Woodgrove Bank must provide secure access to documents on its Extranet SharePoint site to remote employees.
- SharePoint site was designed to accept Claims based authentication.
- Remote employees must use Smart Cards for accessing the site (certificate authentication).
- Limit access to client computers that do not meet the company policy.
As always, for best user experience please watch this demo in Full screen and enable HD. Let me know if you have any questions.