SharePoint 2007 Authentication and SSO
Q: Does WSS v3 support authentication using non-Active Directory directory sources or is MOSS required? I received this question based a previous blog. The specific customer is using Sun 1 LDAP store for a SharePoint 2007 extranet scenario.
This is a really good question because the devil is in the details as they say. WSS v3 is SharePoint's foundation and since it is integrated with ASP.NET v2 it can utilize the ASP.NET's Authentication Provider Model. Therefore, both WSS v3 and MOSS support pluggable authentication. The key is that MOSS provides an OOTB LDAP provider and WSS v3 does not. So for a WSS v3 scenario only, you would have to develop your own.
Q: Does MOSS's authentication extenibility include pluggable SSO providers? Of course, but this is a much tougher road. I have a 2 customers looking at 3rd party SSO and SharePoint. For those interested in created a custom SSO, you can check out this article:
Walkthrough: Implementing a Pluggable SSO Provider
Keep in mind that this is NOT a Web SSO. This is a service for storage and mapping of credentials for use in connecting currently authenticated users with another system.
Q: How do I integrate SharePoint with a WebSSO provider? There is an excellent blog by Daniel discussing the integration of ASP.NET and SiteMinder. Daniel mentions that this was not that tough and "the only thing that must be done (beside the installation and configuration of the Web Agent, Policy Server, etc, of course) is to extract the SiteMinder HTTP headers from the Web request and construct a GenericPrincipal object which holds the identity of the authenticated user"....easy for him to say. This is definitely worth the read but not for the faint of heart. To extend this to Sharepoint, I'm guessing you would need to write an ASP.NET HttpModule to intercept the request, redirect the user to the WebSSO login server, manage the session cookie, and set the user identity for SharePoint to consume. A pretty tall order. I have not done this yet but it's on the horizon. Let me know if you have ventured down this road.
Keep the questions coming, .....
</steve>
Comments
Anonymous
April 20, 2007
"I'm guessing you would need to write an ASP.NET HttpModule to intercept the request, redirect the user to the WebSSO login server, manage the session cookie, and set the user identity for SharePoint to consume." We are attempting to work this out with SharePoint 2007 and Siteminder. We have the SharePoint app protected by SiteMinder so a user is now prompted for there login by SiteMinder then they are taken to a SharePoint 2007 page and prompted AGAIN. The SiteMinder headers, cookies and session details are already there so we don't have to worry about creating them - they exist since the site is protected by SiteMinder. The problem is SharePoint doesn't know about it. I've written a HTTPModule that grabs the User Name from the siteminder header - my question is how do I "set the user identity for SharePoint to consume"??? Basically I know that JSmith is authenticated because he got here thourgh siteminder, but how do I automatically log JSmith into SharePoint 2007 (which is currently user the LDAP Provider which is also used in SiteMinder)? Thanks for any ideas that may point me in the right direction.Anonymous
April 24, 2007
We finally got it working, with SiteMinder and SharePoint 2007. The solution seems so simply now that I can't believe we missed it. I posted the solution here: http://www.huffs.us/blog/blogger.htmlAnonymous
February 06, 2010
Hi Steve, On February 5, 2010 CA announced the availability of CA SiteMinder Agent for SharePoint. I'd like your readers to be aware of this new support for integrating CA SiteMinder and MOSS/WSS. The new product supports Windows impersonation for AD users and client integration for non-AD users. We have also included a SiteMinder membership and role provider to support the selection of users and groups from non-AD user directories in the people picker. The providers make calls through the SiteMinder agent tunnel which is already talking on an encrypted channel through open firewall ports and leverages the SiteMinder load balancing and failover mechanism. See http://www.ca.com/us/products/product.aspx?ID=8374 for more information. Jim Thorstad Principal Product Manager CA SiteMinderAnonymous
September 19, 2010
Hi Shuff, I am unable to view your solution on the following link: www.huffs.us/.../blogger.html Please let me know if there is any way I can access the same :) regards Satya