Two-Tier | SharePoint 2010 | Internal Zone Flow of Identity
In a two-tier, Microsoft SharePoint 2010 commerce deployment in the internal zone (business user zone), there are three scenarios for the flow of identity:
A Business User Logging on for the First Time Using a Web Browser
A Business User Using a Silverlight Rich Internet Application (RIA), such as the Commerce Server Business Administration Ribbon
A Business User Using a Web Browser
.gif "Hh597560.459d8170-7c8d-4035-9770-cc68d5da92ba(en-us,CS.95).gif")
A Business User Logging On for the First Time using a Web Browser
Flow three depicts the flow of identity for a business user who logs on to the SharePoint 2010 Web application.
A business user cannot browse the SharePoint 2010 site anonymously. When a business user browses the SharePoint 2010 site for the first time, the business user is redirected to the SharePoint 2010 secure token service (STS), which challenges the business user for his or her Windows credentials. If the business user is on the corporate domain, the credentials of the business user are provided to the SharePoint 2010 STS automatically since the business user provided a Windows user name and password when he or she logged onto a computer in the corporate domain. If the business user is connecting from outside the business domain, for example, he or she is using a virtual private network, then the Windows credentials of the business user have not been established yet, and he or she is challenged for a user name and password.
If the business user has supplied the correct Windows credentials, the SharePoint 2010 STS calls the CommerceClaimsProvider. For more information, see About the Commerce Server Claims Provider. Using the Windows identity of the STS (App\StsUser), the Commerce Server Claims Provider sends a request to the operation service to return a list of claims for the business user that is logging on. The Principal Creator converts the STS (App\StsUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. These claims allow the App\StsUser to query for the CommerceClaim entities associated with any user.
The Commerce Server Claims Provider converts the CommerceClaim entities returned by the operation service into claims, and adds the claims to the security token that will be issued for the business user that is logging in. The STS sends the security token to the browser as a cookie. The business user is redirected to the SharePoint 2010 site.
A Business User using a Silverlight Rich Internet Application (RIA)
Flow one depicts the flow of identity for an authenticated business user using a Silverlight rich Internet application (RIA), such as the Commerce Server Business Administration Ribbon.
In this scenario, the business user has successfully logged on to the site. As a business user, the ClaimsIdentity contains claims about the user, such as role membership.
The Silverlight RIA, such as the Commerce Server Business Administration Ribbon, calls the routing service using a Windows Communication Foundation (WCF) request. The routing service forwards the request and accompanying ClaimsIdentity of the business user to the operation service. Since the routing service uses a delegated security model, the security context of the business user is used to determine the security context of the operations performed by the operation service.
Because the incoming registered identity is already a ClaimsIdentity, the Principal Creator takes no action. The business user can only perform operations for which he or she has authorization. Commerce operations on commerce entities, such as the CommerceUpdateOperation on the commerce entity Product, are protected by authorization rules. For example, the business user may be authorized to update product descriptions but not product prices. The operation service, as a trusted subsystem, uses the Windows identity Data\CsRestrictedDataUser to make calls to the database to fulfill requests. This identity only has permission in SQL Server to access data required by the Silverlight RIA.
A Business User using a Web Browser
Flow two depicts the flow of identity for an authenticated business user who browses the SharePoint 2010 Web application using a browser.
In this scenario, the business user has successfully logged on to the site. As a business user, the ClaimsIdentity contains claims about the user, such as role membership.
Since the SharePoint 2010 Web application is a trusted sub-system, the SharePoint 2010 Web application, using a Windows identity (Data\CsDataUser), acts on behalf of the business user and sends a request to the operation service. The operation service requires a ClaimsIdentity, so the Principal Creator converts the Web application (Data\CsDataUser) Windows identity into a ClaimsIdentity and loads its claims from AzMan. This ClaimsIdentity is used as the security context for authorization checks performed while processing the request. Using the Windows identity Data\CsDataUser, the operation service processes the request and returns the appropriate information from commerce databases based on the request being processed. This identity has permission in SQL Server to access all data required by the SharePoint 2010 site.
See Also
Other Resources
Understanding Claims-Based Identity
Understanding User Recognition