Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
       
Article View
Single Sign On (SSO) between domains without trust relationship using UAG 2010 and custom ISAPI filter
Created by Idan on 1/25/2011 10:46:34 PM

Before you begin

I'm very excited to announce that now we have the ability to perform full SSO between forests without trust relationship! For more information contact us info@ForefrontSecurity.org or contact us 24x7

Please dedicate a few minutes and think about the major benefits you can achieve by implementing UAG 2010 between domains / organizations that doesn't have trust relationships, and still provide full single sign on (SSO), audit trail and authorization to the original user that requires access to your internal web applications

Think about the following scenarios / requirement and ask yourself if you have them today, if so … UAG 2010 with our custom filter is your solution

  1. You have Active Directory in the DMZ and Active Directory in your corporate LAN without trust relationship and your internal users need access to multiple internal applications from home? And you want to provide them access with the most secured way with full SSO
  2. You have branches with dedicated forest and you don't have trust between them and your internal forest, but you need to provide the branches users access to multiple internal application
  3. You have partners that are not connected to your internal network and you don't manage any trust relationships but you need to provide them access to internal applications
  4. You have a highly restricted network segment and users from that network need access to applications that are located on a different network segment, which is less restricted

High level architecture

The following diagram illustrates a high level architecture with an explanation of what the filter does (in high level) on both sides of the forests

Users look & feel – Domain Users

  1. User in Forest A log in to its computer which is a domain member
  2. The user opens Internet Explorer
  3. The user surfs to the internal UAG URL
  4. The user seamlessly accesses the UAG portal in its domain without entering its credentials (you can configure UAG to open the application from Forest B directly so the user will not see the UAG portal)
  5. Inside the UAG portal the user will see an icon for the application from Forest B
  6. The user click on this icon and the application from Forest B will open without entering the user credentials

Users look & feel – External Users (from the Internet)

  1. External user from the internet open its browser and surf to the external UAG
  2. The user will enter it's credentials in the external domain
  3. Inside the UAG portal the user will see an icon for the application from Forest B
  4. The user click on this icon and the application from Forest B will open without entering the user credentials

If you have any questions regarding to the following custom filter / architecture please post them on our Technical Forums or contact us directly info@ForefrontSecurity.org

Idan Plotnik, Security Engineer

powered by metaPost

print
rating
 Comments