Federating access to Microsoft's Sharepoint
Space to collect information related to providing federated access to Sharepoint services, both WSS and MOSS-based. Sharepoint, as a collaboration service, will be a Service Provider endpoint, so in particular we are interested in how to accept authentication and attribute assertions from a variety of identity providers and use those to authorize access to collaboration resources managed by a Sharepoint instance. Certainly an initial focus is on InCommon, Shibboleth (or other SAML-supporting software), and the web browser.
Some possible methods/strategies
- There is an extension for the 1.3.x Shibboleth Identity Provider (IdP) which allows the IdP to interact with ADFS (Microsoft's Active Directory Federation Service). ADFS can be used to control access to Sharepoint (at least some aspects of it). So the Shib/ADFS bridge support should be one method of providing federated access to Sharepoint. However, not many institutions appear to have explored ADFS much yet, let alone Shibboleth to ADFS interoperability. One institution that is known to have done this is the University of Missouri, and they have presented on their work. See the following blog post for a reference to a slide deck from one of their presentations:
- ADFS and Shibboleth System 1.3c Interoperability
One unknown is how that approach translates into Shibboleth 2.0 – i.e. does Shib 2.0 interoperate with ADFS?
- ADFS and Shibboleth System 1.3c Interoperability