Wednesday, November 18, 2009

SharePoint 2010: Claim-Based Security: Two Stories

I'm not sure SharePoint 2010 team realizes they're painting a somewhat disconnected claim-based security story. Let's call them: Part 1. Inside-Out Story and Part 2. Outside-In Story.

Part 1. Inside-Out Story

This is the story that is being presented the most often: How SharePoint 2010 uses Claims-Based Security as an "single sign-on (SSO)" technology for calling external web services, line-of-business, etc. applications via the Business Connectivity Services (BCS) ...that is, how the SharePoint runtime (the inside) calls services on the outside. To support this, SharePoint optionally hosts its own Secure Token Service (STS) that is used to help transform Windows Identities into Tokens. Token are cached in the Secured Storage Service (SSS). If BCS is invoked, SharePoint checks to see if a valid Token already exists in the SSS for the current user and will use that to access the web service.

Part 2. Outside-In Story

The outside-in story is the one that I think most people think of first when they think of Claims-Based Security: when a user in a claims enabled authentication environment (the outside) tries to login into a SharePoint web site (the inside). This is the scenario that you hear the most about when you read about Windows Identity Foundation (WIF) and AD FS v2 (Active Directory Federation Services). That is, when a user attempts to login an ASP.NET application (e.g. SharePoint), called the Relying Party, and they are not automatically logged in with Windows Integrated Authentication, the user is redirected to a Login Page hosted in the Federation Service (FS e.g. AD FS, Site Minder, etc.) in the user's local domain, a Token is created by the FS' STS based on the known claims requirements of the Relying Party (e.g. SharePoint). The Token is created containing the claims required by SharePoint and returned to authenticate the user against SharePoint.

Neither SharePoint nor the IIS that is hosting SharePoint is directly involved in Authentication. Authentication only takes place against the user's domain FS using the FS's login page. After that the generated Token is used and re-used wherever it is needed (e.g. in all of the inside-out scenarios described at the beginning of this article).

There is/was a rumor the SharePoint team was considering only supporting inside-out Claims-Based Security at one point (and hence, I assume the focus at the SPC and PDC on these scenarios). Yesterday, Chuck Reeves of the WIF team confirmed that SharePoint will be supporting both scenarios: internal (inside-out) and external (outside-in) for RTM. I haven't been able to confirm what will be available for Beta 2.

"More news at 11...",
Michael Herman
SharePoint Architect

No comments:

Post a Comment