Directory Programming .NET

·         ISA, required no changes to MOSS authentication scheme, ADFS requires some changes to MOSS for integration, can we pass through ISA instead of direct ADFS – MOSS communication?

I don't really know anything about ISA, so I'm not sure how to answer your question, but does ISA support federated login?  It seems like it would provide a different set of requirements all together.

I don't know ISA either, but the client was saying that it allowed them to have forms auth for MOSS with no extra configuration of MOSS.  I'll look into it and see if it is possible.

They could likely get forms auth this way, but not with multiple different authentication realms.  That is the main reason why you would want to be looking at ADFS.  If you don't need to federate, there are many easier solutions to getting this working.

Make sure you client understands what the point of ADFS in this whole thing is.  If the goal is simply to get forms auth against a single authentication realm, it is not the right tool for the job.

They did want federation, but SSO was the main driving force.

From my perspective at least ADFS was chosen before I was involved.  I am just setting up the proof of concept and creating a design.

They just have ISA in place and are working through what will go and what will stay in the end.  My guess is that unless ISA is doing more than just auth for them for a few apps like MOSS and OWA, they shouldn't really need it anymore since ADFS is taking over the auth role.

I'm going to install an ISA server in the lab and set it up and see if what Jim Harrison said could work.  ISA does not do federation, but he mentioned that using IAG with ISA could then work with ADFS.  I have no idea what that looks like yet, but I will let you know what I come up with in the lab.

ISA can still do things like load balancing and firewall stuff, so it isn't useless.  It just might not provide much useful additional stuff for the actual authentication features of the app. 

I know almost nothing about ISA though, so I don't have a clear idea about all the features being discussed or how they might compare.

We have the same plan. We have set up an ISA Server 2006 array which is the entrance to our internal network, works as a reverse proxy. Each application server sits behind the ISA server (ADFS, CAS, MOSS, EVault). The ISA doesn't perform any authentication when we're using ADFS at the backend (eg OWA, MOSS). But ISA is however useful for loadbalancing/webfarming/firewal as a primary layer of security.

Though, it would be great if ISA could support ADFS authentication on its weblisteners. But that might be wishful thinking :-)

IAG is a SSL VPN solution which was acquired by Microsoft 2 years ago (http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx )

IAG 2007 sp1 natively supports ADFS

I haven't seen it or installed it - but my understanding is that its installed on the same box as ISA 2006 and it takes the place of the ADFS Proxy component and provides the same FBA page as the adfs proxy server.