We have a potential client that wants us to host a SharePoint site at a co-location.  They have AD at their home office.  They want SSO for this SP site and to be able to manage password resets and other account stuff themselves.  I'm just learning about both ADFS and FIM.

My initial idea was to setup a new domain and ADFS at the colo site, then a FIM server as well, and integrate FIM with ADFS.  Is that possible?

OR can we put a domain controller up at the colo site and join it to -their- domain via VPN tunnel, then set up just a FIM server and they have SSO and account control that way?

These are the requirements as I undestand them.

• Provide a secure infrastructure solution that can be accessed by users over the Internet.
• Provide an application portal to host applications for access by both internal and external users.
• Allow external users to create accounts.
• Allow external users to change their passwords.
• Provide external users with self-service password reset functionality.
• Allow internal users to leverage their current existing credentials for gaining access to the resources in this solution.
• Federated access to published applications by partner users.
• The solution must be secure, implemented in the DMZ environment, and ideally without Windows trusts between this solution environment and internal AD.

I dont really know enough to know if its overly complex.  This leverages several technolgies.  ADFS, FIM and UAG.

What is UAG?  You can read the snipit here about UAG.

http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

Without any training or real world experience its really hard for me to speak authoritatively in such a small amount of time.  There are also unanswered questions, like where the users are stored now and will they continue to be stored there.

FIM has to be involved because that allows for the simplified user management, but if they place their own domain controller in the remote environment, ADFS and UAG could possibly be skipped.

With this complex model you need the following

Co-located site

UAG server X 2 UAG delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors on both managed and unmanaged PCs and mobile devices. It utilizes a combination of connectivity options, ranging from SSL VPN to Direct Access, as well as built in configurations and policies, Forefront UAG provides centralized and easy management of your organizations complete anywhere access offering.

UAG Trunk Design in this solution will have at least three trunks on each UAG server.

1. The first trunk will publish Anonymous applications. This trunk will be configured without any authentication requirements. The following are primary applications that will be published via this trunk: Initial landing page for users with menu selection of different tasks

Self Service Password Reset application

Self-User Registration application

1. The second trunk will publish a portal for external users with password change function

This trunk will use AD for primary authentication to the portal

Will use AD FS as secondary for claims-enabled apps

1. The third trunk will publish a portal for users authenticating via SAML (Federated)

This trunk will use AD FS as the primary authentication to the portal

It will be configured as a relaying party with RP-STS

ADFS Server X2 Federated authentication between AD forests.  This accomplishes SSO between domains.  One is located at the corporate site, one at the colocation site.

FIM portal Server - Forefront Identity Manager (FIM) provides self-service identity management for your users.  FIM provide role-based access control and allow administrators to review access rights continually across the organization. The FIM 2010 R2 release also adds an improved self-service password reset experience, along with performance, diagnostic, and reporting improvements.

Active Directory Server X2 Segregated authentication database collocated that communicates via ADFS to provide federated authentication while keeping user accounts separate from the corporate domain.

SharePoint 2013 WFE Server SharePoint web front end tier

SharePoint 2013 Application Server SharePoint application tier

Microsoft SQL Server DB services for Sharepoint and FIM

Dual zone DNS for UAG UAG DNS need to match both internally and externally

Public certificates

Other options

Colocated corporate AD

In this option a replica of the coporate AD is colocated.  All accounts are kept in the corporate AD.  ADFS is not needed.  FIM and UAG services are required.

Does anyone know how UAG fits in to all of this?  I feel like maybe this is overkill, but based on my requirements it seems plausible..

Hiya, 

Lets break this up a bit, shall we :)

1: If they only need internal access, then you could set up site2site VPN and then just add a DC on your site, together with the SharePoint and SQL. 

2: The FIM is a seperate solution and in this setup you should treat it as so. Even though the client regards it as within the same, you should then handle this project in two phases(preferable two projects). 1 move SharePoint, SQL and DC to your location, setup site2site VPN. 2 Creation of FIM for user self service.

3: If they need Extranet access, you only need to add the UAG. (unless they want to provide federated authentication for external parties)

Hope that answers some, if not all of your questions :)

They want SSO for any internal or external user that has already logged in to one of their applications.  I only had the preliminary requirements to work with which brought up some questions.  I should have answers to those tomorrow.

Hiya, 

Sure no problem :)

Then you need UAG for sure. The external users, should they be logged on using federated authentication? (Note that both sides should support this, not just your client) Basically its a question of using local AD users or external AD users.

I didn't get the answers I wanted.  They are using an MS dynamics DB for user/pwd.  We're shelving this until we win the contract but it looks like a complete redesign with no federation, which might make this much simpler than I tought.  Maybe an independant AD forest in the colocation.  Thanks for the help :)

Anytime! :)