Using SAML 1.x or SAML 2.0 to authenticate Sharepoint users
By Bert Van Beeck on Dec 10, 2008
I came across a question regarding Sharepoint and SAML1.1.
A partner wanted to connect Microsoft Sharepoint with a SAML 1.1 Identity Provider (in this case the Belgian Federal Authentication Service - FAS).
The main problem is that Sharepoint does not speak SAML 1.1, nor does the Windows platform it is running on.
The solution via Sun's OpenSSO is simple as it supports loads of federation protocols !
- First setup SAML 1 single sign-on between the SAML 1 IDP and OpenSSO as SAML1 SP
- Then setup WS-Federation SSO between OpenSSO as an IDP and Microsoft Sharepoint as a Service Provider (SP)
SAML 1 SSO from the SAML 1 IDP with final redirect URL set to the
OpenSSO WS-Federation SSO initialization point (for example http://
: / /WSFederationServlet/metaAlias/ ?goto= )
- In this case, SAML 1 IDP will start an IDP initiated SSO and post the Assertion to the OpenSSO server instance
- The OpenSSO server will then process the SAML1 protocol accordingly, and redirect to WS-Federation SSO initiation URL
completion, OpenSSO will then start WS-Federation protocol and send
the assertion to Microsoft Sharepoint to complete WS-Federation
One thing to note - Sharepoint will need an 'SP' instance of AD-FS to communicate with OpenSSO as Sharepoint itself does not speak WS-Federation.
So - the protocol connection would look like :
SAML 1 IdP -- SAML1 --> OpenSSO -- WS-Fed --> AD-FS --> Sharepoint
Thank you Pat Patterson and Qingwen Cheng for helping me solve the question.
A similar use-case using SAML2 in stead of SAML1 is even more easy, thanks to OpenSSO's multi-federation Protocol Hub.