Microsoft SharePoint Server 2010 supports claims-based authentication, in addition to classic-mode authentication. Unlike the classic mode, which allows only Windows authentication, the claims mode supports the forms-based authentication as well as the SAML authentication in addition to the Windows authentication. The SAML authentication, in turn, supports advanced authentication schemes, for example, two-factor authentication (2FA). The following diagram illustrates the authentication process in SharePoint 2010 under the claims mode for an external trusted identity provider:
In this recipe, we will explore the steps to configure claims-based authentication in SharePoint Server 2010 and register Azure ACS as a trusted claims provider with the SharePoint Server 2010 instance.
You will need a Microsoft SharePoint Server 2010 instance with administrative access (access to the central administration portal). In addition, you will also require a Windows Azure account with the Azure ACS 2.0 namespace configured (refer to Chapter 4, Cloud-based Identity with Azure Access Control Service, for details).
To register Azure ACS 2.0 as a trusted external identity provider in your SharePoint Server 2010 instance, perform the following steps:
New-SPTrustedIdentityTokenIssuer
command:$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("<path to your domain certificate>")
$claimTypeMapping = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "<your domain web application URL>"
$signinurl = "https://<your namespace>.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=https%3a%2f%2f<your realm>%2f"
New-SPTrustedIdentityTokenIssuer -Name "Azure ACS" -Description "Windows Azure ACS v2" -Realm $realm -ImportTrustCertificate $certificate -ClaimsMappings $claimTypeMapping -SignInUrl $signinurl -IdentifierClaim $claimTypeMapping.InputClaimType
New-SPTrustedRootAuthority
command:New-SPTrustedRootAuthority -Name "Domain Trust" -Certificate $certificate
$application = get-spwebapplication "<Relying Party URL>"
$application.useclaimsauthentication = "True"
$application.Update()
You have now successfully set up Windows Azure ACS 2.0 as a trusted identity provider in your SharePoint Server 2010 instance.
Enabling the claims-based authentication and selecting the trusted identity provider in a SharePoint Server 2010 web application provisions the _trust folder under the C:inetpubwwwrootwssVirtualDirectories
folder path. The security token is received and processed by this endpoint:
An interesting scenario to explore would be registering Azure ACS 2.0 as a trusted Security Token Service in SharePoint and then use AD FS 2.0 as a WS-Federation identity provider via ACS to allow the users from Active Directories that are not part of your domain to gain access to your relying party. The following diagram illustrates this scenario:
The Forms-based Authentication (FBA) is available in SharePoint 2010 only if the claims-based authentication is enabled in the web application. To learn more about the steps to configure the forms-based authentication in SharePoint Server 2010, follow the TechNet blog post at http://blogs.technet.com/b/mahesm/archive/2010/04/07/configure-forms-based-authentication-fba-with-sharepoint-2010.aspx.
In addition to Azure ACS 2.0, AD FS 2.0 and any custom IP-STS can be registered as a trusted identity provider with SharePoint 2010. The MSDN article— Claims Walkthrough: Creating Trusted Login Providers (SAML Sign-in) for SharePoint 2010 by Andy Li at http://msdn.microsoft.com/en-us/library/ff955607.aspx provides a detailed walkthrough on registering a custom IP-STS as an identity provider with SharePoint 2010.
A set of articles (including hands-on tips) on claims and the security for SharePoint 2010 is available at http://msdn.microsoft.com/en-us/library/gg430136.aspx.