We have a potential client that wants us to host a SharePoint site at a co-location. They have AD at their home office. They want SSO for this SP site and to be able to manage password resets and other account stuff themselves. I'm just learning about both ADFS and FIM.
My initial idea was to setup a new domain and ADFS at the colo site, then a FIM server as well, and integrate FIM with ADFS. Is that possible?
OR can we put a domain controller up at the colo site and join it to -their- domain via VPN tunnel, then set up just a FIM server and they have SSO and account control that way?
These are the requirements as I undestand them.
- Provide a secure infrastructure solution that can be accessed by users over the Internet.
- Provide an application portal to host applications for access by both internal and external users.
- Allow external users to create accounts.
- Allow external users to change their passwords.
- Provide external users with self-service password reset functionality.
- Allow internal users to leverage their current existing credentials for gaining access to the resources in this solution.
- Federated access to published applications by partner users.
- The solution must be secure, implemented in the DMZ environment, and ideally without Windows trusts between this solution environment and internal AD.
I don’t really know enough to know if it’s overly complex. This leverages several technolgies. ADFS, FIM and UAG.
What is UAG? You can read the snipit here about UAG.
http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx
Without any training or real world experience it’s really hard for me to speak authoritatively in such a small amount of time. There are also unanswered questions, like where the users are stored now and will they continue to be stored there.
FIM has to be involved because that allows for the simplified user management, but if they place their own domain controller in the remote environment, ADFS and UAG could possibly be skipped.
With this complex model you need the following
Co-located site
UAG serverX 2– UAG delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors on both managed and unmanaged PCs and mobile devices. It utilizes a combination of connectivity options, ranging from SSL VPN to Direct Access, as well as built in configurations and policies, Forefront UAG provides centralized and easy management of your organizations complete anywhere access offering.
UAG Trunk Design in this solution will have at least three trunks on each UAG server.
- The first trunk will publish Anonymous applications. This trunk will be configured without any authentication requirements. The following are primary applications that will be published via this trunk: Initial landing page for users with menu selection of different tasks
Self Service Password Reset application
Self-User Registration application
- The second trunk will publish a portal for external users with password change function
This trunk will use AD for primary authentication to the portal
Will use AD FS as secondary for claims-enabled apps
- The third trunk will publish a portal for users authenticating via SAML (Federated)
This trunk will use AD FS as the primary authentication to the portal
It will be configured as a relaying party with RP-STS
ADFS ServerX2– Federated authentication between AD forests. This accomplishes SSO between domains. One is located at the corporate site, one at the colocation site.
FIM portal Server - Forefront Identity Manager (FIM) provides self-service identity management for your users. FIM provide role-based access control and allow administrators to review access rights continually across the organization. The FIM 2010 R2 release also adds an improved self-service password reset experience, along with performance, diagnostic, and reporting improvements.
Active Directory Server X2– Segregated authentication database collocated that communicates via ADFS to provide federated authentication while keeping user accounts separate from the corporate domain.
SharePoint 2013 WFE Server – SharePoint web front end tier
SharePoint 2013 Application Server – SharePoint application tier
Microsoft SQL Server – DB services for Sharepoint and FIM
Dual zone DNS for UAG– UAG DNS need to match both internally and externally
Public certificates
Other options
Colocated corporate AD
In this option a replica of the coporate AD is colocated. All accounts are kept in the corporate AD. ADFS is not needed. FIM and UAG services are required.
Does anyone know how UAG fits in to all of this? I feel like maybe this is overkill, but based on my requirements it seems plausible..