FIM 2010, Sharepoint and ADFS RRS feed

  • Question

  • Hello Gurus

    Firstly, apologies for the long post, but I am at the end of my knowledge in figuring out the following.

    I am having problems with the following solution. I am a newbie to all the technologies and is having no luck in finding the right approach. 

    I have an existing ADFS installation which works as a SSO solution for O365 and Azure. 

    I want to host a link on sharepoint, which is internet facing. Users who are internal to the domain click on it and get redirected to a site which needs login. However because these users are already logged in they are allowed straight through. Users who are external to the domain also come to the sharepoint site, where they are prompted for login. The external users have accounts created on the AD and will login with those credentials. When the external users go to the link and click they are redirected to the same site as internal users. The idea is to allow those users to login to the site without being prompted for a second time. A separate Forefront Identity Manager Sync service and SSPR will be installed to manage the user passwords .  So far what I have gathered is this:

    1) The sharepoint site needs to be configured to use claims based authentication, for the users to be assigned a unique token, upon login to the sharepoint server which can then be used to identify them at the third party site. Is this true, if Sharepoint is configured with claims based authentication, what sort of claims need to be created? SAML based?

    I will need the FIM sync service to synchronize account details from the customer AD to a webserver at the third party website and the SSPR to manage the password for users both internal and external. The plan is to install them on two separate servers. IMHO, the Microsoft documentation on FIM is hopelessly inadequate and talks about a solution that is very far from any real life scenario. Hence the following questions

    • I haven’t been able to find from anywhere that whether the FIM Synchronization Service can synchronize with a web service through a proxy. The customer allows all their web traffic to go through proxy. Can the FIM Synch Service communicate over a proxy? If so then how will this be configured? That is, will the FIM synch server inherit the IE settings to communicate? Can we explicitly tell the FIM server about the proxy and it tells the proxy to forward the traffic appropriately?
    • The Microsoft documentation mentions the integration of FIM SSPR with SharePoint Services 3.0 but not with SharePoint Server 2010. What are the configuration requirements because they will be different and so will be the pre-requisites.
    • For FIM SSPR and Synch service, it is a requirement to install Microsoft Exchange Server 2010 Management Console. But if the SSPR and the Synch service are installed on two separate systems, then the MC should be installed on one, or both?
    • For SSPR, for external users coming to the portal, is a third party certificate required? Because FIM
    • Do we need to create a mailbox for sending the email if the mail relay does not need authentication? That is on the install screen of SSPR to configure the FIM service account, can I just specify an email address without actually creating the corresponding mailbox in the Exchange server?
    • There is a section in which talks about configuring IIS to use Kerberos Ticket Decryption. Performing this step breaks the IIS. Is this a mandatory requirement or can this step be skipped?
    • Can I synchronize only particular users using FIM sync? The "special" users will have a owner data in their title attribute in AD and will be in OUs with other users.

    Any help will be greatly appreciated.

    Thanks in advance.

    Friday, December 6, 2013 5:56 AM