What is Claims-based Authentication in SharePoint 2010 ?

Claims-based authentication (CBA) is based on concept of identity that works with any identity system. An Identity is represented by a security token. The security token is presented to an application which user is trying to get access. CBA provides a trust-based system between applications and a centralized provider that issues the token. Application trusts the user because it trusts the provider. Therefore, in addition to providing single sign-on environment, this eliminates each application authenticate the user individually.

Also CBA answers two important questions;

  1. How users will gain access to the enterprise`s applications regardless to their locations ?
    • Claim-based identity provides a common way for applications to acquire identity information from users, irrespective of whether they are inside the organization, in other organization or on the internet.
  2. How different types of user information will be retrieved by the applications so that applications can accomplish their required functions ?
    • Identity informations is stored in token. A token may contain one or more claims (identity information) about the user. We can think Claim as metadata of an user which stays with the token.

Implementing Claims-based identity generally requires using and understanding a set of core technologies:

  1. Windows Identity Foundation (WIF):
    • WIF is a set of application programming interfaces (API) that can be used to develop custom applications that uses claims and capable of creating federation with other systems.
  2. Active Directory Federated Services 2.0:
    • ADFS 2.0 is a security token service (STS) responsible of issuing tokens. ADFS provides both identity federation and single sign-on services.
  3. Windows CardSpace 2.0:
    • CardSpace stores users` digital identities, and represents the identity information in visual information Cards. Users can exchange these Cards between systems like a real business cards.

Here is a good diagram that shows how it works:

Reference: Garrett’s Tech Musings

SharePoint 2010 Authentication Options:

There are two options:

  1. Classic Mode:
    • This authentication refers to the Integrated Windows authentication model supported in SharePoint 2007. Classic mode does not utilize any of the cliams infrastructure, and therefore none of the claims features are available.
  2. Claims-Based:
    • CBA supports 3 different authentication providers out of the box
      • Windows Authentication: Includes all the same authentication that Classic Mode Authentication.
      • Form Based Authentication: This method includes LDAP, database or custom membership and or role providers.
      • SAML Token-Based Authentication: This includes ADFS 2.0, Windows LiveID, and third party providers.

Note: If you plan to use form-based authentication you have to utilize Claims-based authentication.


Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın:

WordPress.com Logosu

WordPress.com hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap / Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap / Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap / Değiştir )

Google+ fotoğrafı

Google+ hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap / Değiştir )

Connecting to %s