Why deploy Forefront UAG with AD FS 2.0?

http://technet.microsoft.com/en-us/library/gg470575.aspx

Why deploy Forefront UAG with AD FS 2.0?

Published: December 2, 2010

Updated: February 1, 2011

기본적인 AD FS의 장점
1. AD를 이용해서 안전하게 연동할 수 있다
2. 여러개의 계정이 필요하지 않아, SSO 구현이 가능하다(조직, 플랫폼, 응용프로그램)
3. UAG 서버가 여러 어플리케이션의 인증을 위임하는 기능을 갖는다.

This topic describes the benefits of deploying Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0.

• General benefits—AD FS 2.0 provides the following benefits to your organization:
  
  • Enables organizations to collaborate securely across Active Directory domains by using identity federation.
  • Reduces the need for duplicate accounts and other credential management overhead by enabling federated single sign on (SSO) across organizations, platforms, and applications.
  • Provides identity delegation so that authorized applications can impersonate their users when they access infrastructure services, even when the original users do not have local accounts.

SSO 상황의 장점
반복되는 로그온을 줄이는 것이 SSO라면
AD FS 가 웹기반으로 제공되고, 브라우저 세션 하나를 통해 여러 웹 어플리케이션의 인증을 SSO 처리 해주는 기능을 갖게되고,
AD FS와 UAG를 함께 사용하게 되면, UAG 가 AD FS 의 인프라에 의존하여 요청받은 어플리케이션에 대해 SSO를 제공
ADFS Proxy 서버 대체
사내 망을 보호하기위해 있었든 AD FS Proxy 서버 기능을 UAG가 할 수 있기 때문에, 네트워크 구조상으로 덜 복잡하게 구현되고, UAG 로 부터 보호를 받으면서 안전하게 어플리케이션을노출 할 수 있다.

• Single sign on—The process of authenticating to one network while accessing resources in another network without the burden of repeated logon actions by users, is known as SSO. AD FS provides a web-based, SSO solution that authenticates users to multiple web applications over the life of a single browser session. When you deploy Forefront UAG with AD FS, Forefront UAG relies on the AD FS infrastructure to provide SSO for claims-aware applications.
  
  
• AD FS proxy—In an AD FS deployment, to avoid placing the AD FS server directly on the Internet, you can use an AD FS proxy which enables you to keep your AD FS server within your protected corporate network. However, if you want to use AD FS for authentication to your other applications, they must be configured such that they are accessible from the Internet. Because Forefront UAG can provide AD FS proxy functionality and also provide protection for published applications, you can simplify your environment by deploying Forefront UAG. When you use Forefront UAG, you no longer require a dedicated AD FS proxy server, and your application deployment may be less complicated because Forefront UAG protects your published applications.
  
  

AD FS 상황의 Single Sign-out
UAG 는 Web 브라우저를 통한 Portal에서 인증을 한다.
전체 UAG Portal의 로그아웃 할때, 같은 인증을 사용하는 어플리케이션 에서도 로그아웃이 나오는 것 뿐만아니라,

• AD FS single sign-out—AD FS 2.0 and Forefront UAG provide a single sign-out experience for end users. When users sign out from the Forefront UAG portal, they are also signed out from all applications that rely on the authenticating federation server. Similarly, when users sign out from an application, they are also signed out from the Forefront UAG portal that uses the same authenticating federation server.
  
  

  Note:
  When users sign out from Forefront UAG, they may also be signed out from applications that are not published by Forefront UAG.

  Note:
  Since Forefront UAG works only with the WS-Federation Passive protocol, it is not possible to ensure that single sign-out occurs. For example, if users close their browser instead of signing out, single sign-out may not occur.