SharePoint Claims Based Authentication – Windows Identity Foundation

With the Windows Identity Foundation the STS provides tokens that have plenty of information on them. The identity selector allows you to choose the tokens that will be used. This is going to make it easier to accept the tokens and to use them. Developers are going to have an easier time creating applications that are user friendly.

Windows Identity Foundation offers support that is built into the tokens signature verifying process before the claims are removed from it. Each claim is looked at individually which offers developers a constant method across the board for working with information from tokens.

When you are looking at the class properties there are plenty of different things to consider. First there is the claim type which of course will tell you what type of claim it is. Some of them have a username, others have a role, and it can also be many other things. The claim type is determined by strings that are referred to as URI’s.

The value will be what the actual content of the claim has in it. This will often be the users name but it doesn’t have to be. The issuer is going to tell who the identity provider of the claim is as well as who is verifying it to be true.

The Windows Identity Foundation is also designed to offer support for a customized STS. While you won’t necessarily need one, there are times when having one in place is a good idea. You will want to explore all that the Windows Identity Foundation can offer when it comes to the Windows applications. Then you can determine if this process is one you need to be involved with or not.

Next Section >> Self Issued Identity Providers


SharePoint Claims Based Authentication – Cardspace Geneva

As I mentioned the CardSpace Geneva is an upgrade of the CardSpace that Microsoft had previously offered. The upgrade allows developers to take what was good and make it even better. Information cards are a big part of this new approach.

Each user is going to be represented by an information card in the system. Each time a user selects a card then a token will be requested from STS from the right identity provider. This connection is complex but possible. Each part of the card and the identity provider is linked by the STS on the information card.

To clarify, the information card is the same as an XML file. Each one is used to create a relationship for the identity provider. This will allow users to get tokens from the provider for those applications that are designed to accept the tokens.

The information card stores plenty of information and allows the right STS to be found from the right provider. That way the token is requested from the right provider as well. There aren’t any claims found on these cards as they are linked to the identity provider directly.

The reason that an information card exists is to makes sure the right information is stored to find the tokens. While it can sound confusing it is easier if you remember that tokens and information cards are two distinct items.

All of the different identities that a user is able to access will have an information card stored to access it. That information comes from the STS so there isn’t any type of confidential information actually on an information card. Passwords aren’t found on them either.

Through the Geneva Server, the information card can be placed on the machine of a user. This can happen through the use of any STS out there. It can be challenging though to get information for those that are using laptops rather than desktop computers. Being able to have the same digital identity for both of them is important.

CardSpace Geneva allows this to be accomplished through the card export feature. With it in place, the information cards can be copied for an external storage on a USB key. Then they can be placed into a laptop so that the security tokens will be accessed the same as they would be for a desktop computer.

The risk of hackers getting access to that information is reduced due to the encryption process. If someone was to lose their USB key or it is stolen then there is no way someone with it can use it to their own benefit.

Another idea that Microsoft is considering involves users being able to store their information card on a server that is internet accessible. This would definitely make the process of sharing identities from one computer to another easier. For many people that use them at home, work, and on the go it will be a huge benefit.

Of course there will be times when the access a user has through CardSpace Geneva will need to be terminated. The identity provider can be notified to stop issuing security tokens for that card. This will be a very simple process to get into motion. Yet it can be harder to do the same with an information card.

The idea of assigning a PIN that has to be entered when the information card is used may be useful. Then someone can’t get into information if their access has been terminated. It also prevents someone from accessing data should they break into a business or home where a computer is or steal a laptop.

It is important for users to understand when a site is able to accept information from cards to log in. There can be an icon offered that will let someone know card based logins are accepted there. The Information Card Foundation is doing all they can to help make this type of technology user friendly. They have board members from a variety of top entities out there including Google, Microsoft, Paypal, and more. They are also working in conjunction with the Liberty Alliance to help ensure the use of claim based identities can work in the world of business as we know it.

Next Section >> Windows Identity Foundation


SharePoint Claims Based Authentication – Active Directory Federation Services v2

The AD FS v2 has its own STS within it as well as the ability to support the functions that were there with the AD FS before it. This allows it to provide identity federation for a variety of scenarios that we discussed previously. It will also support the SAML 2.0 protocol which is the one that the Liberty Alliance uses.

This set up also makes it possible for the AD FS v2 to work with an array of different products out there. It also makes it possible for trust to be established even with the use of other STS’s.

This is the same type of situation that was offered before. The application of an enterprise Y is going to trust the tokens that are offered from its STS. Those clients with an enterprise X must get a token from their own STS and then use it to request from the STS of enterprise Y.

There are several things that must be covered though in order for that to successfully occur. The STS from an enterprise Y which is the federation provider must be able to tell that the token sent was issued from an enterprise X STS.

It is able to work as this token is signed by the identity provider using a signing key that is secure. In order for the federation provider to verify the signature there is a certificate sent that has the key for it.

The federation provider is able to take those tokens due to the transformation policy that the administer has approved to be in place. This has to show a list of all the possible types of claims that might be coming through.

The identity provider is going to offer a token for the federation provider. To help prevent hackers from accessing it they will be encrypted. This is why the provider has to send a certificate with the encryption key. Then the public key is used so that only the federations STS can read that information.

This process is easier with the use of the AD FS v2 though because it makes more of it occur automatically. Before a given certificate can expire it will create a new key pair and a new certificate that are sent to the STS. There is also more support offered when it comes to storing the identity information.

There is a separate place where the account information such as usernames and passwords are stored. They aren’t lumped in with the attribute area of it. There happens to be plenty of supports too that Microsoft is going to cover when they release it in the final format. They include AD Ds, AD LDS, and SQL. Those are the ones that will be included in the first testing phases with more added later on.

Next Section >> CardSpace