(belated) Intro to Identity in SharePoint 2010

  • Article

We just realized that we kicked off the blog without so much as an introductory paragraph, let alone an overview. We were really fixated on getting the instructions out to configure and test the non-Windows Identity pipeline to unblock testing... Now that the two basic configuration posts are up, let's do the Intro...

At the beginning of the SharePoint 2010 cycle, we took a thorough look at the design of Identity in SharePoint with everything we had learned about in SPS 2003, MOSS 2007, WSS v2 and WSS v3. Boy, did we learn a lot in those products. We finally articulated the problem statement eventually down a few bullets:

  • Support User Identity delegation
    • to other servers/services in the same farm (BCS, Excel Services, etc.)
    • to other servers/services in another SharePoint farm (Search, Secure Store, etc.)
    • to other servers/services outside of SharePoint (WCF, Web Services, SQL, etc.)
  • Allow addl. security principals (ex. Application Roles)
  • Support Multiple Identity Providers on one URL (Windows AND Federated Identity Provider)
  • Support for Office Client access w/o Windows Integrated Authentication
  • Integrate with Identity Provider products via Standards

In order to address these identity issues/problems/opportunities, we selected the Claims Based Identity model introduced to us by Kim Cameron. We worked super closely with the Windows Identity Foundation (WIF) team for this work. Huge thanks to them!

In a nutshell, here is Identity flow in SharePoint2010:

Incoming (Sign-in) has two sign-in modes - Windows-Classic and Claims. Claims mode, in turn, supports Windows, ASP.Net Forms Based Auth and SAML Token often referred to as Windows-Claims, FBA-Claims and SAML-Claims. We offer an extensibility point to Augment claims into the sign-in token.
Outgoing (SharePoint Services) uses SAML tokens exclusively in our server-to-server communication between the WFE and App Servers over WCF in our Shared Services framework.
Outgoing (Business Connectivity Services)  features such as Virtual Lists support PassThrough identity to "external webservice" using SAML tokens as well.

There is a lot to cover about the subject and we will devote a bunch of time discussing what we have done and how to address customer issues as we see/hear/run into them. The videos below give a good feel for the approach we took to address the issues above using Claims and WIF.

Video 1:

Here, Venky talks about what we did and why we did what we did! Mention @venkyv or @SPIdentity directly with questions.
https://channel9.msdn.com/shows/Identity/Sharepoint-2010-and-Claims-Based-Identity/

Video 2:

Vittorio, who interviewed Venky for the above video also gave a talk on Claims Based Identity in Belgium. He talks about what claims are and gives analogies and anecdotes to drive the concept home. Wonderful talk.
https://www.microsoft.com/belux/techdays/2009/session.aspx?sid=idcloudserv&tid=arc_preconf&engine=MSDN

Video 3:

Venky's presentation at the Professional Developer's Conference 2009 in LA, where he is a little bit more specific than in Video 1!
https://microsoftpdc.com/Sessions/PR11

We are on Twitter as well, so please add @SPIdentity to your tweets get our attention.

We would love your comments and questions in either this blog or on Twitter. Thanks!

----

The SharePoint Identity team is Chris, Huy, David, Bryant, Titus, Vlad, Nick, Suntosh, Javier, Sarat and Venky