Wednesday Dec 10, 2008

Using SAML 1.x or SAML 2.0 to authenticate Sharepoint users

I came across a question regarding Sharepoint and SAML1.1.
A partner wanted to connect Microsoft Sharepoint with a SAML 1.1 Identity Provider (in this case the Belgian Federal Authentication Service - FAS).
The main problem is that Sharepoint does not speak SAML 1.1, nor does the Windows platform it is running on.

The solution via Sun's OpenSSO is simple as it supports loads of federation protocols !

  1. First setup SAML 1 single sign-on between the SAML 1 IDP and OpenSSO as SAML1 SP

  2. Then setup WS-Federation SSO between OpenSSO as an IDP and Microsoft Sharepoint as a Service Provider (SP)

  3. Initiate SAML 1 SSO from the SAML 1 IDP with final redirect URL set to the  OpenSSO WS-Federation SSO initialization point  (for example http://://WSFederationServlet/metaAlias/?goto= )

  4. In this case, SAML 1 IDP will start an IDP initiated SSO and post the Assertion to the OpenSSO  server instance

  5. The OpenSSO server will then process the SAML1 protocol accordingly, and  redirect to WS-Federation SSO initiation URL

  6. After completion, OpenSSO will then  start WS-Federation protocol and send the assertion to Microsoft Sharepoint to complete  WS-Federation protocol.

One thing to note - Sharepoint will need an 'SP' instance of AD-FS to communicate with OpenSSO as Sharepoint itself does not speak WS-Federation.

So - the protocol connection would look like :
SAML 1 IdP -- SAML1 --> OpenSSO -- WS-Fed  --> AD-FS --> Sharepoint 

Thank you Pat Patterson and Qingwen Cheng for helping me solve the question.

A similar use-case using SAML2 in stead of SAML1 is even more easy, thanks to OpenSSO's multi-federation Protocol Hub.

Friday Nov 14, 2008

Microsoft meets SAML2

In the world of federation, there are a few standards available to allow human2application single sign-on.  The open standards include SAML2 and ID-FF (now part of SAML2), and Microsoft's WS-Federation. 
As SAML2 and WS-Federation are mutually incompatible, it has been a challenge to connect WS-Federation platforms with those supporting SAML2.

Fortunately, Microsoft recently announced last few weeks that their new Server platform "Geneva" will be supporting SAML2 as a federation platform.  This basically means that Geneva servers can start playing a role as IDP or SP in a federated environment.   Combinations of .NET platform federating with an OpenSSO via SAML2 will become easy, the vice versa should also be possible. 

Good Job Microsoft on embracing the Open Standard SAML2 !!!  I'm looking forward to future circles of trust that will be created as a result of this.

More information : http://www.kuppingercole.com/articles/fg_micro_gen_271008


About

Bert Van Beeck is a Senior Software Architect at Sun Microsystems, specialized in Sun's Identity Management portfolio. He's part of the Northern European pre-sales software team.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today