Thursday, January 31, 2013

SharePoint 2010 - Claims-based authentication

Claims-based authentication (CBA) is based on concept of identity that works with any identity system. An Identity is represented by a security token. The security token is presented to an application which user is trying to get access. CBA provides a trust-based system between applications and a centralized provider that issues the token. Application trusts the user because it trusts the provider. Therefore, in addition to providing single sign-on environment, this eliminates each application authenticate the user individually.

Also CBA answers two important questions:
  1. How users will gain access to the enterprise`s applications regardless to their locations?
    • Claim-based identity provides a common way for applications to acquire identity information from users, irrespective of whether they are inside the organization, in other organization or on the internet.
  2. How different types of user information will be retrieved by the applications so that applications can accomplish their required functions?
    • Identity information is stored in token. A token may contain one or more claims (identity information) about the user. We can think Claim as metadata of a user which stays with the token.
Implementing Claims-based identity generally requires using and understanding a set of core technologies:
  1. Windows Identity Foundation (WIF):
    • WIF is a set of application programming interfaces (API) that can be used to develop custom applications that uses claims and capable of creating federation with other systems.
  2. Active Directory Federated Services 2.0:
    • ADFS 2.0 is a security token service (STS) responsible of issuing tokens. ADFS provides both identity federation and single sign-on services.
  3. Windows CardSpace 2.0:
    • CardSpace stores users` digital identities, and represents the identity information in visual information Cards. Users can exchange these Cards between systems like a real business cards. 
SharePoint 2010 Authentication Options:
There are two options:
  1. Classic Mode:
    • This authentication refers to the Integrated Windows authentication model supported in SharePoint 2007. Classic mode does not utilize any of the claims infrastructure, and therefore none of the claims features are available.
  2. Claims-Based:
    • CBA supports 3 different authentication providers out of the box
      • Windows Authentication: Includes all the same authentication that Classic Mode Authentication.
      • Form Based Authentication: This method includes LDAP, database or custom membership and or role providers.
      • SAML Token-Based Authentication: This includes ADFS 2.0, Windows Live ID, and third party providers.

 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)