During several of our engagements within the education industry, we have found that there can be some issues dealing with Shibboleth Authentication and SharePoint 2010. From those experiences, we wanted to share a recent example and how we were able to work around this and maintain a high level of security with an easy user sign in process.
One of the challenges that we faced at a southern Florida university when deploying Microsoft SharePoint 2010 was the inability to properly authenticate users from a different system to the SharePoint application. All user accounts resided in a UNIX/Linux LDAP based system where authentication to various applications was provided by Shibboleth.
Because Shibboleth, a third party federated identity provider, only supported claims based authentication and SharePoint 2010 security was implemented using standard Active Directory groups, it was necessary to convert claims into security tokens to be used with Windows authentication.
In order to overcome this limitation, B2B Technologies developed a solution that included Forefront Universal Access Gateway and ADFS 2.0, a security product and an authentication platform from Microsoft, to facilitate single-sign on with Kerberos authentication to the SharePoint application.
A proof of concept system was implemented and included the following components: one ADFS server running on an Active directory domain controller, one SharePoint 2010 standalone server and one Shibboleth server. All servers were running Windows Server 2008 R2 with the Shibboleth identity store created in ADAM (Active Directory Application Mode).
The ADFS server was configured as an authentication provider for an UAG HTTPS trunk and Shibboleth was configured as an Identity provider (Claims Provider) for ADFS. SharePoint was added as an application to the HTTPS trunk previously created in UAG. The UAG, ADFS and SharePoint servers were members of the same Active Directory domain for the Kerberos delegation process to work.
As a result, users were able to authenticate to Shibboleth through the UAG server which cached their security token, perform protocol transition to Kerberos and authenticated users to the SharePoint application without user re-authentication; thus providing a single sign-On experience.
The UAG server performed an important role in this solution as it was capable to transition user authentication from claims based authentication to a Windows based Kerberos authentication against a SharePoint 2010 server. Kerberos authentication was a requirement from the customer.