SAML-based Authentication in SharePoint 2013

Overview

In SAML claims mode, SharePoint 2013 accepts SAML tokens from a trusted external Security Token Service Provider (STS).

A user who tries to access a secured webpage  is redirected to the external login page of the STS provider, the STS is responsible for authenticating the user and producing the SAML token, SharePoint accepts and processes the SAML token and creates a claims based security token 

SAML mode is commonly used with SSO (Single Sign On)

SAML-based claims authentication process

SAML-based claims authentication is an interaction between a ‘Client Computer‘, ‘SharePoint Server‘, ‘Identity Federation Server AD FS‘, and ‘AD DS domain controller’

trust relationships must be in place between

  • Identity Federation Server ‘AD FS‘ must trust the Authentication provider ‘AD FS
  • Identity Federation Server ‘AD FS‘ must trust token request from the SharePoint server
  • SharePoint server must trust the AD FS sever, the AD FS server use a signing certificate to sign SAML security token it issues, to validate the digital signature on the security token that issued by AD FS you can figure SharePoint farmwith the public portion of the certificate

18

  1. at first an anonymous user initiates a request to a secured SharePoint page19
  2. SharePoint server redirects the user to the AD FS server to obtain a SAML-based login page for user credentials20
  3. the user types the credentials and the client computer sends them to the AD FS server with a request for a SAML security token21
  4. the AD FS server validates the user credentials against the identity provider AD DS22
  5. the AD FS construct the SAML security token, signs it, and sends it to the client computer23
  6. the client computer send a new request to the webpage and this time it includes the SAML token24
  7. Security token service on the SharePoint server creates a claims based security token and stores it with the distributed cache service on the SharePoint farm. claims in the security token are based on the claims in SAML security token from AD FS, SharePoint sever then create and send a federated authentication cookie to the client computer, this cookie contains an encrypted key of the security token., if the user is authorized to access the requested webpage through analysis of the claims in the security token SharePoint sends the content of the page.25

For more info about other authentication types check my other posts

happy coding…

diagrams source: Microsoft Technet

Forms-based Authentication in SharePoint 2013

Overview

Forms-based authentication is a claims-based identity management system that is based on ASP.NET membership and role provider authentication

Forms-based authentication can be used against the following authentication providers

  • AD DS
  • A membership database such as a SQL Server database
  • An Lightweight Directory Access Protocol (LDAP)

Forms-based claims authentication process

Windows claims authentication is an interaction between a ‘Client Computer‘, ‘SharePoint Server‘, and a ‘Membership and Role Provider

11

  1. at first an anonymous user initiates a request to a secured SharePoint page12
  2. SharePoint response and send a forms-based login page for the user to enter the credentials13
  3. the user on the client computer types the credentials and the client computer send them14
  4. SharePoint validates the credentials against the membership provider.15
  5. SharePoint server queries the role provider for the roles associated with the user credentials16
  6.  Security token service on the SharePoint server creates a claims based security token and stores it with the distributed cache service on the SharePoint farm. the SharePoint sever then create and send a federated authentication cookie to the client computer, this cookie contains an encrypted key of the security token., if the user is authorized to access the requested webpage through analysis of the claims in the security token SharePoint sends the content of the page.17

 

 

For a detailed information on how to configure FBA on ShrePoint 2013  here is a very good article by Sean Earp – Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider

For more info about other authentication types check my other posts

Happy coding…

diagrams source: Microsoft Technet

Windows Authentication in SharePoint 2013

Overview

Windows authentication type takes advantage of your existing Windows authentication provider (AD DS) and the authentication protocols that a Windows domain environment uses to validate the credentials of connecting clients.

Windows authentication can be used by both claims-based authentication and classic mode

Windows Claims Authentication Process 

Windows claims authentication is an interaction between a ‘Client Computer‘, ‘SharePoint Server‘, and ‘AD DS domain controller

4

  1. at first an anonymous user initiates a request to a secured SharePoint page5
  2. SharePoint responses and asks for Windows user credentials which can be sent using NTLM or Kerberos6
  3. The client computer sends windows credentials or the user is prompted to enter them7
  4. SharePoint validates the windows credentials against AD DC which response with windows security token8
  5. SharePoint server queries the domain controller for the list of security groups which the user is member of9
  6. Security token service on the SharePoint server creates a claims based security token and stores it with the distributed cache service on the SharePoint farm. The IIS web server on SharePoint server then sends an authorization code to the client computer , if the user is authorized to access the requested webpage through analysis of the claims in the security token SharePoint sends the content of the page.10

 

For more info about other authentication types check my other posts

happy coding…

diagrams source: Microsoft Technet

 

Anonymous Authentication in SharePoint 2013

Overview

SharePoint 2013 supports anonymous authentication. Users can access SharePoint content without validating their credentials. You use anonymous authentication when you use SharePoint 2013 to publish content that available for all users such as public internet website

Anonymous authentication is disabled by default, you can enable it but you will need to configure anonymous access on sites and sites resources

To enable anonymous access

  1. go to Central Administration, under Application Management section, click the “Manage web applications” link
  2. Select the web application you want to enable the anonymous access on it then click on “Authentication Providers” button available in the Ribbon1
  3. In the modal click on ‘Default’ zone,and when ‘Edit Authentication’ modal shows check ‘Enable Anonymous Access’2
  4. Navigate to one of the site collection you created under the web application then go to Site Settings and click on ‘Site Permissions
  5. Click on “Anonymous Access” in the Ribbon then when the modal shows select “Entire Web Site3

Now anonymous access is enabled on the Web Application and the Site collection.

For more info about other authentication types check my other posts

happy coding…

 

Authentication Methods in SharePoint 2013

Overview

In this series I’m going to talk about the authentication methods and authentication types in SharePoint 2013 , also I will talk about authentication process of each type as well.

In this post I will cover some definitions and will talk about Authentication methods in SharePoint (Claims-based authentication and Classic mode authentication)

In the next posts I will cover the authentication types in SharePoint 2013 (Windows Authentication, Forms-based Authentication, and SAML-based Authentication)

What is Authentication?

Authentication is the process of validation of user’s identity against an authentication provider which contains the user’s credentials and can confirm that user submitted them correctly

What is an Authentication Method?

An authentication method is how the user credentials and other info that confirm the user’s identity is being exchanged.

The result of the authentication method is a token that contains claims that an authentication provider has authenticated a user.

What is an Authentication Type?

An authentication type is a way of validation user’s credentials against one or more authentication providers

Authentication providers can be ASP.NET membership and role providerActive Directory Domain Services (AD DS)…Etc.

An authentication type can use multiple authentication methods.

Authentication Methods in SharePoint 

1- Claims-based authentication

Claims-based identity simplifies the authentication logic as it separates the authentication logic from the application itself as it moves it to an identity provider

All of the claims for a particular user are contained in a security token, which is the complete set of claims information in digital form that is associated with that user.

How claims-based authentication works?

  1. The user requests to access the application or service.
  2. The application or service sends a request to the STS for a token for that user.
  3. The STS authenticates the user (for example, via a password or smart card or biometric scan.
  4. The STS generates the token.
  5. 1
  6. The STS digitally signs the token and the digital signature becomes part of the token.
  7. The STS returns the token to the application or service that requested it.
  8. The application verifies that the digital signature is valid and that it came from an STS that the application trusts (each application will have a list of trusted STSs).
  9. The application processes the claims information to determine whether to allow the user to access the service or application, and what level of access the user will have.

2

For more info about Claims-based authentication here is some resources:

2- Classic Mode authentication

Classic mode authentication ONLY supports Windows Authentication, you cannot use forms-based or SAML-based authentication with classic mode.

It uses the windows user account to directly authenticate the user to access SharePoint resources

4

Classic mode authentication – also known as Windows classic authentication –  is discouraged in SharePoint 2013 and you can only create or configure web applications for classic mode authentication with Windows PowerShell only.

We are done for now, in next posts I’m going to talk about the below Authentication Types in SharePoint 2013 and the authentication process of each type

  1. Anonymous Authentication in SharePoint 2013
  2. Windows Authentication in SharePoint 2013
  3. Forms-based Authentication in SharePoint 2013
  4. SAML-based Authentication in SharePoint 2013

 Diagrams source: Microsoft Technet, Pluralsight  

State Service Configuration in Microsoft SharePoint Server 2013

After installing SharePoint Server 2013 I created a site collection, when I tried to perform a simple approval workflow I got the below error

The form cannot be rendered. This may be due to a misconfiguration of the Microsoft SharePoint Server State Service. For more information, contact your server administrator

3_0

I checked the database and there was no State Service db which means that we need to enable the “State Service” in the farm

3_6

 

From Central Administration on the left click on Configuration Wizards then Launch Farm Configuration Wizard

3_1

 

Click Start the Wizard 

4

 

When you start the wizard scroll down and check the State Service check box

5

 

Click next the wait for the wizard to finish,

Check the SQL db after its done and you will find that State Service database is now added 

6

 

Re-run the approval workflow now and it will work just fine

7

 

Create the Configuration Database for Standalone Installation with a Local Account – SharePoint Server 2013

After I’m done installing SharePoint Server 2013 on Windows Server 2012 R2 I ran the configuration wizard to finalize and configure the installation 

At the step “Specify Configuration Database Setting” I chose to use my local machine as my database server (because it a development machine) and I left the default database name unchanged 

At the “Specify Database Access Account” section I typed my current local account as I’m working on my local home development machine and I’m not connected to a domain  as the following

 2_1

 

I got this error after clicking Next

2_3

 

Apparently SharePoint doesn’t allow creating the configuration database with a local user account

The good news is that there is a work around, all you need is to create the database manually using SharePoint 2013 Management Shell

Open SharePoint 2013 Management Shell and type the following command 

New-SPConfigurationDatabase

2_7

 

Hit enter it will ask about the following

  • Database Name
  • Database Server
  • FarmCredential
  • PassPhrase

type the required info then hit enter again 

2_5

 

This will create all necessary databases,  you can re-run the Configuration Wizard and select the option “Connect to an existing farm” 

 

Extra note: 

I’m using SQL Server 2008 R2 when I first tried to create the configuration databases I got this error

2_4

 

SharePoint 2013 supports SQL Server 2008 R2 Service Pack 1 and higher versions so the error gone when I installed SP2 

 

Hope that will help :)