wifclaims-based-identityacsadfs2.0claims

Claims Based Authentication - SharePoint and generally


All,

I've been doing a lot of reading around Claims Based Authentication and am still a bit confused. I'm trying to solidify my understanding, specifically relating to SharePoint 2010/2013, but also generally (i.e. ASP.NET).

My understanding of various pieces of technology terminology is as follows:

SharePoint 2010/2013 questions:

My main issue is that I have seen a few articles talking about ADFS 2.0 and SharePoint which almost read as if you are replacing the built-in SharePoint 2010/2013 STS with ADFS 2.0! This is hopefully just my reading, but it confused my understanding.

  1. Can you actually do this? I see no reason why you couldn't if you really wanted, but I assume you need to disable the SharePoint STS and do lots of manual config?
  2. Why WOULD you want to do this?

2.1. AD authentication is already supported as an OOTB Trusted Identity Provider option by the SharePoint STS and if you wanted to use ADFS 2.0 instead you could just add this in as a Trusted Identity Provider (IP-STS) for which I have seen blog posts.

2.2. Based on my description of ADFS 2.0, changing it out for the SharePoint STS would actually give you a less flexible solution?

Statements:

ASP.NET WIF questions:

  1. My understanding is that in order to perform the trust negotiation and claims exchange an RP-STS must talk to an IP-STS. Is this correct?
  2. Therefore in the context of building a claims-based ASP.NET Web Application (Relying Party) when using WIF would you therefore have develop/reuse and include an RP-STS into the App and cnfigure this to have a trust relationship with an IP-STS? If not can you get Identity directtly from an IP-STS using WIF?

Just writing this helped me get this out of my head, but any help on inaccuracices/over simplications/outright untruths would be gratefully appreciated!

Regards,

Michael Taylor


Solution

  • The SP STS is an RP-STS i.e. it does not have a credential store to authenticate against. That's why you have to federate it with ADFS which is an IP-STS i.e. it authenticates against an AD in it's domain.

    ADFS can be either an RP-STS or an IP-STS e.g. you could have the path - SP app. -> SP STS -> ADFS (RP) -> ADFS (IP) -> AD.

    The IP-STS you federate with SP does not have to be ADFS - it can be anything that supports the WS-Federation protocol e.g. OpenAM, PingIdentity, Azure ACS. The main point is that at the end of the chain there has to be a credential store to authenticate against.

    This credential store does not have to be AD e.g. ADFS -> IdentityServer -> SQL Server.

    ADFS can be federated with many different IP-STS. The user can choose which one to use for authentication.

    ADFS supports both SAML2 and WS-Fed as federation protocols. The SP RP-STS only supports WS-Fed.

    The previous version of ADFS (i.e. 1.0) is the version that is installed on Windows Server 2008. You have to download ADFS 2.0. Unfortunately, there are a number of blog posts which uses the term ADFS but which refer to ADFS 1.0. Beware - ADFS 1.0 is a completely different beast.

    WIF is just a set of .NET classes. It is not an STS. You can go WIF -> IP-STS or WIF -> RP-STS -> IP-STS etc.

    Hopefully this answered some of your questions but fire away if anything is still not clear.

    Update:

    The only STS's I know of that incorporate WIF are ADFS and IdentityServer. Most of the ones mentioned above are Java based.

    The reason that you would choose ADFS over IWA is that both authenticate against AD but only ADFS adds SSO and Federation functionality. Also ADFS provides all the claims-based plumbing - SAML token etc.

    When you federate ADFS, you provide the ability to authenticate against multiple credential stores. But if you choose to authenticate against an instance of ADFS, it uses the AD repository. When you install ADFS it finds the instance of AD in its domain. That's the one it uses.