we have to create SharePoint extranet sites by using SharePoint foundation 2010 for clients.we have to use Claims based authentication.So which one is better FBA or SAML authentication.
please tell me which one is better what are the advantages and disadvantages are there for both.
I am not too familiar with SAML but from what I can tell, you would need an authentication provider to use SAML. FBA is based on the user providing a username and password which requires no infrastructure. It is always nicer for the end user if they don't have to bother with providing credentials, but what are the requirements that you have, and do you have the ability to use an authentication provider?
Related
I have been working on the development of a portal for a long time and one of the important modules of this portal is that it can login to 3rd party systems without asking username/password. It can be called a simple SSO.
At this point, I am trying to do this for Microsoft Teams :) I have user management authority in Azure AD, so I developed it with the ROPC user flow. I successefully get token, but I could not find any document on how to redirect the user to Microsoft Teams page. Is it possible to do this or not?
Thank you in advance for your help.
ROPC only supports a sign in flow. ROPC flow using on other flows(Microsoft teams) there won't be Single sign on, you will be just using the token endpoint. We would recommend you to use other flows if there are any specific requirements with the teams use Microsoft Graph API. And W.r.t Native app SSO using ROPC will not exhibit SSO across apps. Native App SSO using MSAL or any library that can allow cookie sharing across Apps will support SSO.
Microsoft recommends you do not use the ROPC flow. In most scenarios,
more secure alternatives are available and recommended. This flow
requires a very high degree of trust in the application, and carries
risks which are not present in other flows. You should only use this
flow when other more secure flows can't be used.
ROPC involves a user credentials while client creds are application credentials. More damage can be done if a user identity get stolen. app identity gets stolen you can't easily exploit it the same way as a user.
Please refer this doc if you are looking to Develop SSO Microsoft teams tab
We've got a few apps that authenticate with the traditional username/password or email/password approach using forms authentication. We would like to slowly migrate these accounts to Windows Identity Foundation (WIF).
Mixing forms authentication with WIF is (for what I've seen) not easy. Basically it comes down to creating an STS to supply claims from the built in database.
If we chose to build another STS for hosting the accounts, are there ways to "merge" accounts from different authentication providers? (i.e. someone is already logged on and wants to merge an additional account from a different authentication provider.)
The idea is that we let customers merge accounts and after that slowly remove the old account database.
Mixing forms and WIF is not too hard:
http://leastprivilege.com/2012/02/02/mixing-forms-and-token-authentication-in-a-single-asp-net-application/
http://leastprivilege.com/2012/02/02/mixing-forms-and-token-authentication-in-a-single-asp-net-application-the-details/
We have to HNSC https://division1.corp.com https://division2.corp.com on the same SPWebApplication using Claims and Forms Authentication. When logging in to https://division1.corp.com we should have access to https://division2.corp, but we get the logon dialog box again. The UserInformationList are synchronized between this HNSC. By looking at the cookie, they are different.
How shall we solve this?
SharePoint 2010 out of the box does not provide a way to share authentication between its own web applications. This is primarily because each application authenticates users independently and the cookies that it issues are marked with the HTTP Only flag. This means the cookie cannot be accessed by other applications on different DNS names (even if they are part of the same SharePoint farm).
The most common resolution to this is to set up an external federated trusted identity provider (such as ADFS) and have each of your web applications trust it. Then you can configure your federated identity provider to authenticate against your forms provider.
Here's some more detailed info about how the authentication structure in SharePoint works and how you can develop against it: http://msdn.microsoft.com/en-us/library/gg430136.aspx
is it possible to configure federated trust without using ADFS. This article "Claims-Based Single Sign-On for Microsoft SharePoint 2010" link walks you through an example of integrating two web applications into a sso environment for intranet and extranet web users. The article describes how to configure a New-SPTrustedIdentityTokenIssuer where you can add ProviderRealms to SPTrustedIdentityTokenIssuer. In our scenario we set -SignInUrl https://division.corp.com/_layouts/fba/fbalogin.aspx. But I cant find out how to configure the section federatedAuthentication.
how can I let non-domain users username/password login my sharepoint site (is on internet)? I am using Sharepoint 2010 foundation. can I authentic them via Active Directory?
If you want to continue to use Active Directory, you will need to give an AD account to these users. Otherwise, SharePoint also supports Forms Based Authentication and SAML token-based authentication.
Note that these authentication methods are not mutually exclusive. You can use any combination of authentication methods supported by the authentication mode of the Web Application (SAML token-based authentication is only supported when your Web Application is in Claims Based mode).
For more information, see Plan authentication methods.
You can use Form Base Authentication.
Reference: http://blog.morg.nl/2011/08/step-by-step-forms-based-authentication-fba-on-sharepoint-2010/
Is it possible to authenticate a user in SharePoint 2010 using a SAML Token provided by third-party?
Most of the examples of SSO configuration for SP2010 assume that you are going to use Active Directory as your user repository. I do not want to setup ADFS, since all of my users are actually out on a SAML compatible Jasig CAS server.
Any ideas?
Thanks for the help!
You would need to implement a custom authentication provider to make this work without ADFS. See http://www.rightpointconsulting.com/community/blogs/viewpoint/archive/2010/09/02/configuring-custom-providers-using-sharepoint-2010-claims-based-authentication.aspx