Wednesday, August 4, 2010

Claims based security model in SharePoint 2010

In this article I will try to touch base briefly on the Claims based Security Model support in SharePoint 2010.

 
SharePoint comes with two kinds of authentication when you are creating a new Web Application.
  1. Classic Mode Authentication (default)
  2. Claims Based Authentication

 

 
Classic Mode is just the Windows based authentication and is used for backward compatibility.
The new mode of authentication i.e Claims Based works around the concept of an Identity which is based on the standards of WS-Federation, WS-Trust and Protocols like SAML (Security Assertion Markup Language)
It provides a generic way for applications to acquire identity information from users in/across organizations and also on internet.
Identity information is contained in a security token, often simply called a token. A token contains one or more claims (trusted information) about the user. This information stays with them throughout their session.

 
This is developed on the Windows Identity framework (WIF). Features of claims-based identity include
  • Authentication across users of Windows-based systems and systems that are not Windows-based.
  • Multiple authentication types.
  • Stronger real-time authentication.
  • A wider set of principal types.
  • Delegation of user identity between applications. (Can resolve Double Hop issues easily)

 
Out of the box, SharePoint supports authenticating using Windows & Forms (both supported in MOSS), LiveID/OpenID. However, integrating with custom Authentication providers is easily possible as long as the application can trust the Issuing Authority of the Security Tokens.

 
Definitions of some of the concepts that you need to be aware of are as follows:
  • Identity: security principal used to configure security policy
  • Claim: attribute of an identity (Login Name, AD Group, etc)
  • Issuer: trusted party that creates claims
  • Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML)
  • Issuing Authority: issues security tokens knowing claims desired by target application
  • Security Token Service (STS): builds, signs and issues security tokens
  • Relying Party: application that makes authorization decisions based on claims

 
There are two cases of Claims Incoming and an Outgoing. The scenarios are different in the way they get authenticated or validated. See the images below from the MSDN article.
 
 
Hope this gives you a start in understanding a very high level concepts of claims based Security Model in SharePoint 2010.
Posted by Prashanth Kota at 10:40 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)