Three-Tier | SharePoint 2010 | External Zone Flow of Identity
In a three-tier, commerce deployment in the external (shopper facing) zone, there are five scenarios for the flow of identity:
A Shopper Logging On for the First Time Using a Web Browser
An Anonymous or Registered Shopper Using a Web Browser
A Registered Shopper Using a Silverlight Rich Internet Application (RIA)
An Anonymous Shopper Using a Silverlight RIA
An Anonymous Shopper Using a Silverlight RIA to Perform an Anonymous Checkout
For more information about the states of identity (Anonymous, Recognized, and Authenticated), see Understanding User Recognition.
.gif "Hh567682.c0000247-2a5e-4956-82bb-cc0f88a79655(en-us,CS.95).gif")
A Shopper Logging On for the First Time Using a Web Browser
Flow one depicts the flow of identity for a shopper who logs on to the SharePoint 2010 Web application.
When a shopper logs in to the SharePoint 2010 site with their credentials, such as a user name and password, the SharePoint 2010 Web application, using a Windows identity (App\CsAppUser), sends a Windows Communication Foundation (WCF) Request for Security Token (RST) to the SharePoint 2010 security token service (STS) to log on the shopper. In this scenario, the SharePoint 2010 Web application is a trusted sub-system that acts on behalf of the shopper.
The SharePoint 2010 STS calls the CommerceSharePointMembershipProvider. Using the Windows identity of the STS (App\StsUser), the Commerce SharePoint Membership Provider sends a request to the operation service to validate the user name and password. The operation service requires a ClaimsIdentity, so the Principal Creator converts the STS (App\StsUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request to validate the user name and password of the shopper and returns a pass or fail response.
If the shopper has supplied the correct user name and password, the SharePoint 2010 STS calls the Commerce SharePoint Membership Provider. For more information, see About the Commerce Server Claims Provider. Using the Windows identity of the STS (App\StsUser), the Commerce SharePoint Membership Provider sends a request to the operation service to return a list of claims for the shopper that is logging on. Again, the Principal Creator converts the STS (App\StsUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. These claims allow the App\StsUser to query for the CommerceClaim entities associated with any user.
The Commerce SharePoint Membership Provider converts the CommerceClaim entities returned by the operation service into claims, and adds the claims to the security token that will be issued for the user that is logging in. The STS sends the security token to the SharePoint 2010 Web application, and the Web application sends the token to the browser as a cookie. On the next request, the anonymous identity changes to an authenticated (registered) identity.
An Anonymous or Registered Shopper using a Web Browser
Flow two depicts the flow of identity for a registered or anonymous shopper who browses a SharePoint 2010 Web site.
Since the SharePoint 2010 Web application is a trusted sub-system, the SharePoint 2010 Web application, using a Windows identity (App\CsAppUser), acts on behalf of the shopper and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts this Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from SQL server based on the request being processed. The Data\CsDataUser identity has permission in SQL server to access all data required by the SharePoint 2010 site.
A Registered Shopper Using a Silverlight RIA
Flow three depicts the flow of identity for a registered shopper who shops using a Silverlight rich Internet application (RIA).
When the registered shopper successfully logs in, the ClaimsIdentity that is created by the Commerce SharePoint Membership Provider contains claims about the shopper, such as the user ID. For more information, see About the Commerce Server Claims Provider. The routing service forwards the request and accompanying ClaimsIdentity of the registered shopper to the operation service. Since the routing service uses a delegated security model, the security context of the shopper is used to determine the operations performed by the operation service.
Because the incoming registered identity is already a ClaimsIdentity, the Principal Creator takes no action. The registered shopper can only access their own information, such as user profile, basket, etc., because such commerce entities are specific to a user and protected by a userScope authorization rule. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL server to access data required by the Silverlight RIA.
An Anonymous Shopper using a Silverlight RIA
Flow four depicts the flow of identity for an anonymous shopper using a Silverlight RIA to browse for product information.
When the anonymous shopper browses using a Silverlight RIA, the anonymous shopper has no claims associated with his or her ClaimsIdentity.
The routing service forwards the request and accompanying ClaimsIdentity to the operation service. Since the routing service uses a delegated security model, the security context of the shopper is used to determine the operations performed by the operation service.
Because the incoming anonymous identity is already a ClaimsIdentity, the Principal Creator takes no action. Because the anonymous identity contains no claims, the anonymous shopper can only perform actions based on the "Everyone" claimset, such as retrieving product information or advertisements. Actions like accessing a shopping basket or a user profile are not authorized because they are protected by a userScope authorization rule (meaning an identity with claims can only access his or her profile, shopping basket, etc.). Since the identity contains no claims, the identity cannot access commerce entities for which authorization is required. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
An Anonymous Shopper using a Silverlight RIA to Perform an Anonymous Checkout
Flow five depicts the flow of identity for an anonymous shopper using a Silverlight RIA to shop and checkout anonymously.
Note
This scenario is not recommended because anonymous checkouts from a Silverlight RIA require a complex deployment of three operation services. We recommend that you only support checkouts for registered shoppers using a Silverlight RIA. If you choose to support anonymous checkout through a Silverlight RIA, you must have a separate Windows Communication Foundation (WCF) Service dedicated to anonymous checkouts originating from the Silverlight RIA. A separate Windows Communication Foundation (WCF) Service is necessary because Commerce Server 2009 R2 requires that any identity performing a checkout has user ID claims; however, an anonymous user has no claims. Furthermore, to reduce the exposure of your Silverlight RIA to security threats, you should decrease your attack surface area. Expose only those operations in the Commerce Foundation via the Windows Communication Foundation (WCF) routing service to support the e-commerce activities available through your Silverlight RIA. For more information, see Considerations for Secure Deployment of Rich Internet Applications (RIAs).
The CommerceUserRecognitionModule assigns the anonymous shopper a user ID, a globally unique identifier (GUID), which is stored in a cookie. This user ID associates the anonymous shopper with his or her shopping basket. At this time, the anonymous shopper has no claims associated with his or her ClaimsIdentity.
Using a Windows identity (App\csRouterUser), the routing service forwards the request and a custom WCF header containing the user ID of the anonymous shopper to the operation service.
Since the routing service has a Windows identity and the operation service requires a claims identity, the Principal Creator reads the WCF header of the request and converts the anonymous identity of the shopper to a ClaimsIdentity containing one claim for the user ID from the WCF header. This establishes the shopper identity as the security context for the operations performed by the operation service. Now, the anonymous shopper is authorized to access their basket. The operation service, as a trusted subsystem, uses the Data\CsRestrictedDataUser identity to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
See Also
Other Resources
Understanding Claims-Based Identity
Understanding User Recognition