Federated Access to Microsoft's SharePoint Services
This is space for information about providing federated access to SharePoint services, both WSS and MOSS-based. SharePoint, as a collaboration service, will be a Service Provider endpoint, so in particular we are interested in how to accept authentication and attribute assertions from a variety of identity providers and use those to authorize access to collaboration resources managed by a SharePoint instance. Certainly an initial focus is on InCommon, Shibboleth (or other SAML-supporting software), and the web browser.
What is SharePoint?
SharePoint is Microsoft's collaboration environment, providing a place for teams to coordinate schedules, organize documents, and participate in discussions---within the organization and over the extranet. It allows for authoring and managing documents, use communications features, offers tools like blogs and wikis, and integrates with the Microsoft Office suite. You can read more about SharePoint on Microsoft's TechNet.
Use Cases and Plans
We are interested in how you are using SharePoint now, how you plan to use SharePoint in the future, and how you might use federated SharePoint. Please share your information by visiting (and editing) one of the informational pages linked below.
Federated Use Cases
Go to the federated use case page to see basic descriptions of how various institutions plan to use SharePoint to support collaboration. Add your own use case by editing the use case page.
- The National Institutes for Health (NIH) is preparing to roll-out a federated SharePoint service. Information will be posted here.
- The Committee for Institutional Cooperation (CIC) has some information on the use case page and will be adding more as they roll out a SharePoint service provider service.
Internal Use Cases
We are interested in how campuses are using SharePoint now -- without federating. Developing such use cases will help collect information about best practices and assist institutions when it comes time to federate SharePoint. Please share your uses of SharePoint at the Internal Use Case page.
Possibilities for Federation
Have an idea how you might use a federated SharePoint instance? Or maybe plans in the offing? Please share your information on the Possibilities for Federation page.
Recipes to Federation
We are interested in methods that IdPs and SPs are considering for federated use of SharePoint. Please share your thoughts/plans on the Recipes to Federation page.
Authentication
Microsoft has a web page summarizing authentication methods currently supported for SharePoint.
ADFS
There is an extension for the 1.3.x Shibboleth Identity Provider (IdP) which allows the IdP to interact with ADFS (Microsoft's Active Directory Federation Service). ADFS can be used to control access to SharePoint (at least some aspects of it). So the Shib/ADFS bridge support should be one method of providing federated access to SharePoint. However, not many institutions appear to have explored ADFS much yet, let alone Shibboleth to ADFS interoperability. One institution that is known to have done this is the University of Missouri, and they have presented on their work. See the following blog post for a reference to a slide deck from one of their presentations:
The 2.0 SP also includes ADFS support. The IdP does not yet support it. The community needs to either contribute the necessary plugin or identify it as a priority for core team work.
SharePoint services support for forms authentication
Microsoft has a web page providing details on SharePoint's support for forms authentication. MSDN's Channel 9 Forums also has a video on configuring "Anonymous Access and Forms Authentication with WSS 3.0". There are several products which support federated access to SharePoint using the "forms authentication" method.
- 9Star Research, Inc. has two products, ActiveShareFS 2003 (for SharePoint 2003) and ActiveShareFS 2007 (for SharePoint 2007). The latter is currently in a beta release. Both are a Windows application (based on ASP.NET 2.0) that supports federated identity and access management from Shib IdPs to SharePoint. You install their software along with the following (for SharePoint 2007):
- Microsoft Win2K3 Server
- Microsoft IIS 6.0 Server
- ASP.NET 2.0+
- Microsoft SharePoint 2007 Server
- Shibboleth SP Server v1.3+
- The CIC is beginning to explore providing federated access to a collaboration service based on Windows SharePoint Services (WSS) using the ActiveShareFS 2007 software. The possible unknown being using WSS versus a full-fledged SharePoint Server (MOSS). An interesting question if institutions begin to federate access to MOSS-based services is what that potentially means in terms of client-based licenses (CALs). WSS-based services don't incur that possible issue, so that is at least one reason why we'd like to stick with WSS for now.
- The National Institutes of Health (NIH) has federated support for SharePoint implemented using their CA Siteminder product. The CA (eTrust) Siteminder product has a web agent for IIS and which can function as a SAML Service Provider, and is supporting authentication to SharePoint through forms authentication.
Issues
- Licensing: The full-fledged SharePoint Server (MOSS) requires, at least to my understanding, per-seat licensing with per-device Client Access Licenses (CALs). So if one begins to provide federated access to a MOSS-based collaboration service, what does that mean for licensing?
Future Conference Call Topics
- NIH SharePoint federation effort with various InCommon members
- University of Missouri work with ADFS and Shib and SharePoint
- CIC exploration of federating SharePoint (when we have something concrete to say) with ActiveShareFS
- How much work would it be to build a "forms authentication" plugin for SharePoint that provides the integration to a Shib SP and that can be distributed as a free extension to Shibboleth?
- Licensing, CALS, and federation?
Conference Call Minutes
June 16, 2008
June 2, 2008
May 5, 2008