none
Microsoft FIM, Sharepoint and Single Sign on RRS feed

  • Question

  • Hi Gurus

    I wanted to ask you a few questions about a solution I am working on at the moment. I shall appreciate any assistance in this regard. The solution is based around Sharepoint 2010 and FIM 2010.

    A brief synopsis of the solution:

    The customer has a working ADFS solution in place. They have a SharePoint site where users will come, click on a URL and get redirected to a partner portal, where they will be logged in without being prompted for their credentials. At the moment the customer has no way of identifying users in the SharePoint site. We are working closely with the partner to integrate their portal in the customer environment. Their portal is Single Sign on and Security Assertion Markup Language (SAML) aware. Insight will also be delivering a FIM infrastructure with the Synchronization and Password Reset Portal services enabled. The plan is to have the FIM sync the account details from the customer’s AD, and submit it to the partner portal’s web service. The Partner will not be providing access to their LDAP directory to CUSTOMER. Rather they will be providing a web service (a Clearview web server) for FIM server to send the AD account info to. The partner will manage the data from their end to keep their LDAP directory in sync with the customer AD. The single sign on solution of the partner works on the assumption that the users need to be authenticated when they click on the URL so that their session information can be passed to the partner portal. 

    The questions I have are as follows: 

    SharePoint questions –

    • To authenticate external/internal users to the Sharepoint site, should claims based authentication be used in SharePoint? Do you believe that there are any other options than Claims based authentication?
      • Can SharePoint leverage the existing ADFS implementation or will the claims based authentication mandate users to login again using their credentials when they arrive at the SharePoint site?
    • If we wanted to notify the users Can the users be reminded/notified about the impending expiry of their password? Can that be done natively through SharePoint or this needs to be done at the AD level? That is, to inform the users of password expiry, can there be a SharePoint page or can they be informed by AD?

                    FIM questions -

    • If the notification can be configured, then in the notification, can the URL for the Password Reset Portal be included? That is, if it is a SharePoint page then it needs to display the URL of the password portal. The same for the email notification.
      • Alternatively if the password has already expired can the users be redirected to the portal instead of telling them that the password has expired?
    • Will we be able to manually trigger sending a password reset link to an email address not tied to the user’s AD account? This is for first time external users who will not have an email account in the customer’s environment.
    • Considering the situation where FIM Synchronization service is sending the account information to a web service, the question is can FIM Directory Sync do that out of the box? Partner has indicated that no customization will be needed on the FIM, but I wanted to confirm.
      • For the FIM server to work with the web service, does it need to communicate over a VPN tunnel or just normal HTTPS traffic over port 443 can work as well? What is the supported and suggested method to do this? 

    Please let me know what you think. Thanks in advance

    Thursday, November 21, 2013 6:06 AM

All replies

  • There is a lot of details we don't get here so answers might be not very specific but

    Sharepoint:

    - you need claims based auth and sites to support this scenario (if I understand it right) or you need something like UAG from Microsoft (newest version of server 2012R2 brings simple replacement for UAG in some cases - Web Application Proxy). UAG can transfer from claims based auth to Kerberos and then you can publish standard, windows auth based sites through it. 

    - yes, your sharepoint can use existing ADFS. The rest is configuration between your customer and their partner.

    - Password expiration notification will have to be implemented separately as Sharepoint will not have a notion of password expiriation if it will use claims based auth (authentication part is being done somewhere else at IdP). You can always issue a claim with this information from your ADFS and then present some information on your sites based on this claim value - just one of possible solutions.

    FIM part:

    - yes, you can include link to some site i notification. Notification is just a template of e-mail and it can contain links.

    - if password will be expired for a user, user will not be able to log on without changing it s it is hard to redirect a user in that case. You can utilize FIM SSPR in this case and provide users with link to self-service for password reset in case they can not log on.

    - yes, this is not a problem as long as you can capture this e-mail in user on-boarding process.

    - I don't know nature of this web service, however FIM requires management agent to talk to the data source. If this data source is covered with out of the box management agents you will be able to use it without customization. However here we are talking about web service - I don;t know nature and interface of this service There is FIM connector for Web Service - http://blog.msresource.net/2012/06/14/forefront-identity-manager-connector-for-web-services-released/ - if you will be able to use it, that is fine. If not and it is not covered by standard MAs - you may need to write your own one (or at least cover it with Powershell and Powershell MA which you can find on internet) 

    Now - stating that there will be no customization needed might be a bit simplistic. I don't know exact setup and interfaces but at least you need provision these accounts to your partner. in that case you need either synch rules or code which will do this.  

    - FIM MA can connect to data source over a network in the way which is supported by the given data source. If this web service is exposed on port 443 and public internet you can connect to it. If it is on a private network - you will have to use VPN. This however is not related to FIM but to the infrastructure environment itself. 

    If you will have more questions to it you may want to provide us more details - drop it here on the forum or on private. 


    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Sunday, November 24, 2013 12:21 AM
  • Hi Tomasz

    Firstly a big thank you for your post. Apologies for not explaining the solution in greater detail. So here are additional details. The complexity here is that the customer wants users coming from domains which are not part of the ADFS environment as well.  Thus I am not sure as to how the Sharepoint CLAIM authenticated user can be passed on to a third-party application outside of the environment without having to re-authenticate with that application separately? So the scenario is that when an user authenticates them to the sharepoint. They will be issued with a session token. But how will the token be trusted by the application? If the customer wants both internal and external users to come and authenticate themselves, wouldn't the token assigned be different for these two types of users?

    Thanks again for your questions. I would please like to clarify a few of your answers.

     - yes, your sharepoint can use existing ADFS. The rest is configuration between your customer and their partner. - Can the existing ADFS installation be used to authenticate users both from inside and outside the organization? For external users, will their accounts have to be created in the AD forest of the customer?

    FIM part:

    - if password will be expired for a user, user will not be able to log on without changing it s it is hard to redirect a user in that case. You can utilize FIM SSPR in this case and provide users with link to self-service for password reset in case they can not log on -  So by link do you mean that this is the URL of the SSPR site? What I am trying to understand is that if the users have lost/passed the expiry time of their passwords, will the IT department have to provide them with the link or can there be a process whereby everytime the users click forget password for example, they will be redirected to the SSPR site?

    - yes, this is not a problem as long as you can capture this e-mail in user on-boarding process. - Do you mean to include the private email in the user information in the AD?

    - I don't know nature of this web service, however FIM requires management agent to talk to the data source. If this data source is covered with out of the box management agents you will be able to use it without customization. However here we are talking about web service - I don;t know nature and interface of this service There is FIM connector for Web Service - http://blog.msresource.net/2012/06/14/forefront-identity-manager-connector-for-web-services-released/ - if you will be able to use it, that is fine. If not and it is not covered by standard MAs - you may need to write your own one (or at least cover it with Powershell and Powershell MA which you can find on internet) - By Data source do you mean the customer AD or the web service? In my mind the Data source is the AD where all the updates are made. These are then sync'd with the webservice, so I would think that the webservice is the destination. Thanks for the link, I shall go through the document and let you know if I have any questions.

    Thanks again for your answers, your help is very much appreciated.

    Regards

    Monday, November 25, 2013 11:51 PM
  • Hi Tomasz

    Any updates?

    Regards,

    Dipan

    Friday, December 6, 2013 4:01 AM