cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Claims Authentication - STS

Kunal Kankariya
Copper Contributor

‎Jan 12 2017 11:05 PM

‎Jan 12 2017 11:05 PM

Claims Authentication - STS

Hello Everyone,

 

I need some clarification with respect to Claims authentication in SharePoint. I have been doing some reading around this topic and have come across a stackoverflow thread. The "answer" says that SharePoint STS is a RP-STS.

 

From what I understand, this is contextual. If we use Windows based claims authentication or forms based claims authentication with say AD and ASP .NET role membership ( SQL Server) being used as Identity providers then the SharePoint STS is the one that issues tokens and does the role of a IP-STS. Is my understanding correct? 

 

Also, say we integrate "facebook login" with SharePoint. Do we have to use AD FS or any other federation service at all ? Can we configure SharePoint to directly trust facebook and use SP STS to issue token to client and thereby act as an IP STS? TIA!

Labels:
1,643 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Kunal Kankariya (Copper Contributor)
paulschaeflein

‎Jan 13 2017 07:23 AM

‎Jan 13 2017 07:23 AM

Solution

Re: Claims Authentication - STS

If you use Windows based claims auth, the IP (Identity Provider) is Active Directory. If you use Forms Based auth, the IP is the form auth provider. (Don't use .Net Membership, use ASP.NET Identity. In both scenarios, the token consumed by SharePoint is from the SharePoint Claims Issuer.

 

SharePoint requires a SAML token. Last I checked, Facebook did not issue SAML tokens, so you need something in between that will do that. You can get SAML tokens from ADFS, Ping and a few others.

 

However, if you use an Identity Provider that is not active directory, you will have issues with the people picker in SharePoint. I've written about that here: SharePoint People Picker in Claims-mode Web Applications

 

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Kunal Kankariya (Copper Contributor)
paulschaeflein

‎Jan 13 2017 07:23 AM

‎Jan 13 2017 07:23 AM

Solution

Re: Claims Authentication - STS

If you use Windows based claims auth, the IP (Identity Provider) is Active Directory. If you use Forms Based auth, the IP is the form auth provider. (Don't use .Net Membership, use ASP.NET Identity. In both scenarios, the token consumed by SharePoint is from the SharePoint Claims Issuer.

 

SharePoint requires a SAML token. Last I checked, Facebook did not issue SAML tokens, so you need something in between that will do that. You can get SAML tokens from ADFS, Ping and a few others.

 

However, if you use an Identity Provider that is not active directory, you will have issues with the people picker in SharePoint. I've written about that here: SharePoint People Picker in Claims-mode Web Applications

 

View solution in original post

1 Like
Reply