Partager via


SharePoint Claims Auth Without SSL

Someone asked me the other day whether we could use claims auth in SharePoint 2010 with ADFS v2 as the identity provider STS (STS-IP), but NOT use SSL on the SharePoint site.  In working through it, I found that there are some inherent limitations in making this happen, but not on the SharePoint side.  In ADFS when you define the relying party (SharePoint 2010 in this case), you have to define a WS-Fed endpoint.  When you do that, ADFS requires that the endpoint be SSL secured.  The endpoint when SharePoint 2010 is the relying part is protocol://siteUrl/_trust/.  In this case, since ADFS requires SSL for the WS-Fed endpoint, the protocol portion of the Url must be SSL.

So the short answer is, to use claims auth in SharePoint with ADFS, you must use SSL.  Other STS-IP implementations may not have this requirement, but ADFS v2 does.

Comments

  • Anonymous
    January 01, 2003
    thanks

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    June 03, 2010
    I am facing the same issue with Live ID STS as well. This is itself a serious limitation to force SSL for claims whether it is problem with SharePoint or IP-STS. Hope this gets resolved soon, so claims authentication can be used on non SSL

  • Anonymous
    June 08, 2010
    Do you see any issues where you have your SP 2010 WFE boxes behind a hardware load balancer and the HLB is taking care of the SSL but the connection from the HLB to the WFE is over port 80? Hence when you define the WS-Fed endpoint it would be https://siteUrl/_trust where the siteUrl is pointed to the HLB. Thanks E.R.

  • Anonymous
    June 17, 2010
    @Eric we have implemented this aswell where the VIP port 80 and 443 both point to a single sharepoint port and with a bit of alternate access mapping this works fine for now. But i would be interested to know if this is a valid solution from a Microsoft rep. What we found though is even if you started on port 443 after redirection you ended up in port 80 however after authentication u can still go to port 443 and things would show fine

  • Anonymous
    September 18, 2014
    The comment has been removed