SharePoint 2013 Authentication – SAML Based

Sharepoint 2013

March 30, 2016 / Kannan / 0 Comments

SharePoint 2013 – SAML Based Authentication

The following is the interaction between

  1. Client Computer
  2. SharePoint Server
  3. Active Directory Federation Service (AD FS)
  4. Active Directory Domain Service (AD DS)

Notes:

  1. AD FS & SAML Claims are not required if AD DS is the provider in which the forest and domains trust each other
  2. AD FS must trust the AD DS for which the AD FS is issuing the SAML security tokens
  3. Here the trust might be implicit as the AD FS is the member of AD DS domain and hence trusts the domain controllers
  4. AD FS must also trust the SharePoint locations
  5. Hence AD FS is configured with SharePoint’s web application URLs as relying parties
  6. SharePoint server also must trust the AD FS’s SAML token.
  7. This trust is obtained via a signed certificate which the AD FS has and it signs the tokens with this certificate
  8. The SharePoint server is also configured with the public portion of the above mentioned signed certificate which AD FS uses and SharePoint trust those signed tokens using this public portion

The SAML Based Authentication Process

  1. User does anonymous request to secured SharePoint Webpage
  2. SharePoint redirects the user to AD FS’s login page for user to enter credentials
  3. User types in the credentials and sends back to AD FS using the client computer
  4. The AD FS server then validates the credentials with AD DS
  5. Once user is validated, the AD FS then creates a SAML token, signs and send it back to client computer
  6. The client computer now sends a new request to SharePoint server now with SAML token provided by AD FS
  7. SharePoint then creates a claims based security token using Security Token Service and this claims is based on the claims which it found in SAML token which the AD FS has sent to client computer
  8. Then SharePoint stores this security token with Distributed Cache Service on the farm
  9. SharePoint server then generates and send the federated auth cookie back to client computer
  10. The fed auth cookie has encryped key or index to security token
  11. This fed auth cookie is used by the computer for subsequent requests

The following Video will explain the Forms based authentication in SharePoint 2013. This video is part of the Authentication overview for SharePoint 2013 article located at https://technet.microsoft.com/en-us/library/jj219571.aspx

For more information on SharePoint Claims check out more articles at http://social.technet.microsoft.com/wiki/contents/articles/14214.sharepoint-2013-claims-based-authentication.aspx