locked
What are the limitations and challenges of SAML Authentication? RRS feed

  • Question

  • Hello,

    Our organization is looking at migrating from Claims-based Window Authentication to Claims-based SAML Authentication. We will be using ADFS and ADDS.

    Windows Authentication has worked fine for us until we realized it didn't allow for SSO between multiple web apps on unmanaged machines. We like to keep the number of authentication providers to a minimum - ideally we would like to  implement only SAML Authentication for both internal and external access to the SharePoint.

    I spent hours looking on the Internet for limitations and "gotchas" of SAML Authentication but couldn't find anything useful. I found some info at the bottom of this Technet article (is this relevant to SP 2013?):

    http://technet.microsoft.com/en-us/library/hh706161.aspx

    So, I like to ask the experts - from your experience, are there any limitations/challenges that I will encounter with SAML authentication? Do any of the Service Applications (ex: BDC or SSS) that simply do not work with SAML?

    Appreciate any help.

    Thank you.

    Thursday, March 13, 2014 7:29 PM

Answers

All replies

  • Hosted Apps are the last remaining hurdle that I'm aware of.

    See http://blogs.technet.com/b/speschka/archive/2012/12/07/using-sharepoint-apps-with-saml-and-fba-sites-in-sharepoint-2013.aspx.

    However, for SSO, take a look at the Web Application Proxy role in Server 2012 R2 combined with ADFS 3.0.

    http://thesharepointfarm.com/2014/02/sharepoint-and-the-web-application-proxy-role/


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Robert S. B Friday, March 14, 2014 6:46 PM
    Thursday, March 13, 2014 7:35 PM
  • Thanks Trevor. I don't think we'll ever have a use case for Hosted Apps but I'll keep that in my notes just in case.

    In my research, I learned that SSS is a claims aware service BUT at the same time, I also learned that BCS support Anyonymous, Basic, Windows, and Custom authentication to OData services when it is used with SSS - nothing about SAML. This seems to line up with the technet article I posted (however, it is speaking to SP 2010, not SP 2013) -  it states:

    "When you are using the Secure Store Service, SAML claims are not translated to Windows tokens, so other services will not detect the SAML identity; the identity will be the service account, an anonymous account, or an unattended account."

    My concern is that if we implement BCS in the future, that a user wouldn't be able to surface data from external systems because her SAML identity can't be used to identify her to the external system? Is there a workaround or does this issue not apply to SP 2013?

    Thanks

    Friday, March 14, 2014 2:31 PM
  • I believe that reference for the Secure Store is to client applications (e.g. Report Builder, SQL Data Tools, and so forth), rather than web pages.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Robert S. B Friday, March 14, 2014 6:46 PM
    Friday, March 14, 2014 4:02 PM
  • You're right. After more research, I was finally led to a document you posted in another thread. It was really helpful:

    http://download.microsoft.com/download/D/2/0/D20E1C5F-72EA-4505-9F26-FEF9550EFD44/MSFTBIAuthOverview.docx

    Thanks for your help.

    Friday, March 14, 2014 6:46 PM
  • Trevor,

    You mentioned that hosted apps was the a hurdle for SAML- apps that are installed from MS's SharePoint Store, are these considered "hosted apps"? 

    If that's the case, how would I get apps bought from the sharepoint store working in a SAML environment - host the app outside the farm (use providedhosted solution)

    Thanks.


    • Edited by Robert S. B Wednesday, March 26, 2014 5:10 PM
    Wednesday, March 26, 2014 5:02 PM