Chapter 4 – Sharepoint 2010 Security Under th Hood – Claims-Based Authentication

Wrox Real World Sharepoint 2010 (Page 105)

Kerberos uses secret key cryptography to provide strong authentication and cryptography over a network. Kerberos uses a key distribution center (KDC)
to safeguard information and broker ticket issuance.

Bundled identity information in a digital context is referred to as a TOKEN. (digitally signed) Each property is called Assertion.

Security Token Service (STS) —
Each of the token in a claim-based environment is generated by a STS.

User Browser à Sharepoint
Sharepoint à STS to ask for a token.
STS à Account store
STS Generate token à Sharepoint

**** Important definitions —
The STS is possessed by an Identity Provider (IDP), which is also known as an Issuer.
The consumer, Sharepoint, acting on behalf of the user, is also known as the Relying Party (RP).

If IdP is hosted on the same server as Sharepoint, it’s called IdP-STS. It’s very common because Sharepoint comes with its own STS, which has configured for AD DS.
If the STS outside of Sharepoint farm, then it’s called RP-STS.

STS converts a token into SAML.

When user has 2 identities, the STS will confuse. So a component called Identity Component is introduced.

ADFS (Active Directory Federation Services) —
Central component in a claimed-based environment is the STS, and ADFS is the platform. (ADFS 2.0) Supports both active and passive clients.

WIF (Windows Identity Foundation) —
allowing extranalization of user access through claims.

CardSpace —
Microsoft’s identity selector. Each card is an XML file.

Sharepoint 2010 includes a trusted STS, referred to as Security Token Service
web application. It’s in Sharepoint Web Service (IIS) as SecurityTokenService.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: