For Sharepoint Architecture For Authorization Of Claims

This article aims at explaining concepts and applications that are required in one example of architecture of SharePoint 2010 that enables Claims based authentication and authorization. For SharePoint development, SharePoint integration and SharePoint customization people recently tried to enable SharePoint 2010 for making it work with Claims and to enhance it for both authentication and authorization in SharePoint. Developers try to figure out where all the pieces can fit in that architecture for making use of claims. Some concepts are new for understanding and so configuration of new infrastructure can be done. We will see here how the concepts and applications are explained in an example of SharePoint 2010 architecture and how it enables claims based authorization and authentication. If you are a fresher and the concept of claims is fully new to you then you are suggested to read an article what are Claims – Using of Claims in SharePoint for basic knowledge.

Here we will see an example of server architecture and in below diagram you will find out what a SharePoint server architecture that is using claims will look. Whether you are using it for SharePoint customization or SharePoint integration or SharePoint development depending on your needs you can need more or less components.

Above you will see the architecture with claims. Further you can see the sequence of messages that are involved for authenticating a user to SharePoint 2010 during the sign in time with the use of claims based authentication. At a high level, if this message sequence is followed then you get below series of actions:

• Seeing it from end user’s perspective they need to pull up simply the web browser then navigate to the URL of SharePoint 2010, enter the name and password for signing in. Thus all credentials would be sent to the SharePoint server.
• This architecture fully configures SharePoint 2010 for performing claims based authentication and for connecting to the trusted identity provider. Then the user’s credentials would be passed on to trusted identity provider by SharePoint and would request authentication and a token.
• In this case the provider is made up of a “Secure Token Server” and a data source (database or LDAP directory). This secure token server is version 2.0 of ADFS and the data source is active directory. The version 2 will be connected to directory for retrieving attributes about the sign in. For configuring ADFv2 it is required to configure several things but 4 out of them are most critical:
  1. Trusted relationship between SharePoint 2010 and ADFSv2.
  2. Claims that is included in ADFSv2 in response to an authentication request
  3. The attributes of Active Directory which must be retrieved by ADFSv2 while SharePoint request is coming in
  4. And lastly how mapping or transforming of retrieved AD attributes are done to claims that is expected by SharePoint 2010.
• The user would be authenticated by ADFSv2 and a token will be created. These token can be of one of 2 standards based formats either SAML 1.1 or WS-Federation. This token would be digitally signed before it’s returned to the calling application. It could also be encrypted if required by the environment.
• Calling application or SharePoint 2010 gets the signed token which is done with the use of SAML 2.0 protocol or the WS-Federation protocol depending on the configuration of ADFSv2.

Once the token is received by SharePoint it would be validated with digital signature for ensuring that it could trust the token and claims within it. After the completion of this process and validation of signature has been completed the user can now log into SharePoint.

For More Information:- Sharepoint Customization | Sharepoint Integration