Two-Tier | SharePoint 2010 | External Zone Flow of Identity

  • Article

In a two-tier, commerce deployment in the external zone (shopper zone), there are four scenarios for the flow of identity:

  • An Anonymous or Registered Shopper Using a Web Browser

  • A Shopper Logging On using a Web Browser

  • A Registered Shopper using a Silverlight Rich Internet Application (RIA)

  • An Anonymous Shopper using a Silverlight RIA

For more information about the states of identity (Anonymous, Recognized, and Authenticated), see Understanding User Recognition.

Hh567669.e1643662-d087-4a8a-a948-3049486a7cfc(en-us,CS.95).gif

An Anonymous or Registered Shopper Using a Web Browser

Flow three depicts the flow of identity for a registered or anonymous shopper who browses a SharePoint 2010 e-commerce Web site.

Since the SharePoint 2010 Web application is a trusted sub-system, the SharePoint 2010 Web application, using a Windows identity (Data\CsDataUser), acts on behalf of the shopper and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts the STS (App\StsUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from the commerce databases based on the request being processed. This identity has permission in SQL Server to access all data required by the SharePoint 2010 site.

A Shopper Logging On Using a Web Browser

Flow four depicts the flow of identity for a shopper who logs on to the SharePoint 2010 Web application.

When a shopper logs in to the SharePoint 2010 site with their credentials, such as a user name and password, the SharePoint 2010 Web application, using a Windows identity (Data\CsDataUser), sends a Windows Communication Foundation (WCF) Request for Security Token (RST) to the SharePoint 2010 security token service (STS) to log on the shopper. In this scenario, the SharePoint 2010 Web application is a trusted sub-system that acts on behalf of the shopper.

The SharePoint 2010 STS calls the CommerceSharePointMembershipProvider. Using the Windows identity of the STS (App\StsUser), the Membership Provider sends a request to the operation service to validate the user name and password. The operation service requires a ClaimsIdentity, so the Principal Creator converts the STS (App\StsUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request to validate the user name and password of the shopper and returns a pass or fail response.

If the shopper has supplied the correct user name and password, the SharePoint 2010 STS calls the CommerceClaimsProvider. For more information, see About the Commerce Server Claims Provider. Using the Windows identity of the STS (App\StsUser), the Commerce Server Claims Provider sends a request to the operation service to return a list of claims for the shopper that is logging on. Again, the Principal Creator converts the STS (App\StsUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. These claims allow the App\StsUser to query for the CommerceClaim entities associated with any user.

The CommerceClaimsProvider converts the CommerceClaim entities returned by the operation service into claims, and adds the claims to the security token that will be issued for the user that is logging in. The STS sends the security token to the SharePoint 2010 Web application, and the Web application sends the token to the browser as a cookie. On the next request, the anonymous identity changes to an authenticated (registered) identity.

A Registered Shopper Using a Silverlight Rich Internet Application (RIA)

Flow one depicts the flow of identity for a registered shopper who shops using a Silverlight rich Internet application (RIA).

When the registered shopper successfully logs in, the ClaimsIdentity that is created by the CommerceClaimsProvider contains claims about the shopper, such as the user ID. For more information, see About the Commerce Server Claims Provider.

Using the Data\CsRestrictedDataUser identity, the Routing Service sends the request and accompanying ClaimsIdentity of the registered shopper using an in-process call to the operation service. Since the Routing Service uses a delegated security model, the security context of the shopper is used to determine the operations performed by the operation service.

Because the incoming registered identity is already a ClaimsIdentity, the Principal Creator takes no action. The registered shopper can only access his or her own information, such as user profile, basket, etc., because such commerce entities are specific to a user and protected by a user scope. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.

An Anonymous Shopper using a Silverlight RIA

Flow two depicts the flow of identity for an anonymous shopper using a Silverlight RIA to browse for product information.

When an anonymous shopper browses using a Silverlight RIA, the anonymous shopper has no claims associated with his or her ClaimsIdentity.

Using the Data\CsRestrictedDataUser identity, the routing service sends the request and accompanying ClaimsIdentity using an in-process call to the operation service. Since the routing service uses a delegated security model, the security context of the shopper is used to determine the operations performed by the operation service.

Because the incoming anonymous identity is already a ClaimsIdentity, the Principal Creator takes no action. Because the anonymous identity contains no claims, the anonymous shopper can only perform actions based on the "Everyone" claimset, such as retrieving product information or advertisements. Actions like accessing a shopping basket or a user profile are not authorized because they are protected by a userScope authorization rule (meaning an identity with claims can only access his or her profile, shopping basket, etc.). Since the identity contains no claims, the identity cannot access commerce entities for which authorization is required. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.

See Also

Other Resources

Understanding Claims-Based Identity

Managing Authentication

Managing Authorization

Understanding User Recognition

About the Commerce Server Claims Provider

Understanding the Flow of Identity