Customers are asking if publishing AD FS endpoints using Microsoft Forefront Unified Access Gateway (UAG) is supported when using federated identities in Office 365.
In order to answer that question we'll need to touch on AD FS endpoints.
AD FS endpoints
AD FS endpoints are used to provide clients with access to federated applications. Endpoints will issue authentication tokens to clients, after successful client authentication. These endpoints are managed by the customer on their AD FS servers, and can be managed, secured and published individually through a proxy.
For accessing Office 365 online services, three distinct endpoints must be considered:
1. Passive Federation (WS-Fed Passive Profile):
2. Active Federation (WS-Fed Active Profile):
3. Basic Authentication “Active”:
So - can I use Forefront UAG for publishing AD FS endpoints?
Using UAG for publishing ADFS 2.0 endpoints is a supported scenario, but it only supports the WS-Federation Passive protocol. As seen above rich clients like Lync require communication to the AD FS 2.0 server through Forefront UAG using the WS-Federation Active protocol, which is not supported by Forefront UAG. The sign-in assistant does not help in this scenario because Forefront UAG blocks any communication using the active protocol.
When using Forefront UAG for publishing ADFS 2.0 to provide access to your Office 365 deployment, your users can use only applications that use passive requests, such as web browsers, and they must also install the sign-in assistant. They cannot use rich client applications that use the active protocol.