You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Federated access to Microsoft's Sharepoint services

Space to collect information related to providing federated access to Sharepoint services, both WSS and MOSS-based. Sharepoint, as a collaboration service, will be a Service Provider endpoint, so in particular we are interested in how to accept authentication and attribute assertions from a variety of identity providers and use those to authorize access to collaboration resources managed by a Sharepoint instance. Certainly an initial focus is on InCommon, Shibboleth (or other SAML-supporting software), and the web browser.

Some possible methods/strategies

Microsoft has a web page summarizing authentication methods currently supported for Sharepoint.

ADFS

There is an extension for the 1.3.x Shibboleth Identity Provider (IdP) which allows the IdP to interact with ADFS (Microsoft's Active Directory Federation Service). ADFS can be used to control access to Sharepoint (at least some aspects of it). So the Shib/ADFS bridge support should be one method of providing federated access to Sharepoint. However, not many institutions appear to have explored ADFS much yet, let alone Shibboleth to ADFS interoperability. One institution that is known to have done this is the University of Missouri, and they have presented on their work. See the following blog post for a reference to a slide deck from one of their presentations:

Sharepoint services support for forms authentication

Microsoft has a web page providing details on Sharepoint's support for forms authentication. MSDN's Channel 9 Forums also has a video on configuring "Anonymous Access and Forms Authentication with WSS 3.0". There are several products which support federated access to Sharepoint using the "forms authentication" method.

  • 9Star Research, Inc. has two products, ActiveShareFS 2003 (for Sharepoint 2003) and ActiveShareFS 2007 (for Sharepoint 2007). The latter is currently in a beta release. Both are a Windows application (based on ASP.NET 2.0) that supports federated identity and access management from Shib IdPs to Sharepoint. You install their software along with the following (for Sharepoint 2007):
    • Microsoft Win2K3 Server
    • Microsoft IIS 6.0 Server
    • ASP.NET 2.0+
    • Microsoft Sharepoint 2007 Server
    • Shibboleth SP Server v1.3+
  • The CIC is beginning to explore providing federated access to a collaboration service based on Windows Sharepoint Services (WSS) using the ActiveShareFS 2007 software. The possible unknown being using WSS versus a full-fledged Sharepoint Server (MOSS). An interesting question if institutions begin to federate access to MOSS-based services is what that potentially means in terms of client-based licenses (CALs). WSS-based services don't incur that possible issue, so that is at least one reason why we'd like to stick with WSS for now.
  • The National Institutes of Health (NIH) has federated support for Sharepoint implemented using their CA Siteminder product. The CA (eTrust) Siteminder product has a web agent for IIS and which can function as a SAML Service Provider, and is supporting authentication to Sharepoint through forms authentication.

Licensing

The full-fledged Sharepoint Server (MOSS) requires, at least to my understanding, per-seat licensing with per-device Client Access Licenses (CALs). So if one begins to provide federated access to a MOSS-based collaboration service, what does that mean for licensing?

Possible topics for conference calls and/or "demos"

  • NIH Sharepoint federation with various InCommon members
  • University of Missouri work with ADFS and Shib and Sharepoint
  • CIC exploration of federating Sharepoint (when we have something concrete to say) with ActiveShareFS
  • How much work would it be to build a "forms authentication" plugin for Sharepoint that provides the integration to a Shib SP and that can be distributed as a free extension to Shibboleth?
  • No labels