Microsoft switching SharePoint to claims-based authentication

Claims-based model linked to Microsoft’s Identity Metasystem moving from concept to application layer with SharePoint as the proof point

SharePoint will lose the rigid authentication system it has today in favor of using claims about a user, such as age or group membership, that are passed to obtain access to the SharePoint environment and to systems integrated with that environment.

Claims could be built dynamically, picking up information about users and validating existing claims via a trusted source as the user traverses a SharePoint environment.

A diagram of the move for SharePoint

“We don’t want to come up with another, or the next, authentication system for SharePoint,” says Venkey Veeraraghavan, senior program manager lead for Office SharePoint Server.

Veeraraghavan said Microsoft settled on a claims-based system because it is flexible and designed for heterogeneous identity environments. “It allowed us to invest in one place [SharePoint] and know that we can credibly say we work with multiple systems, especially as they are woven into what we’re calling a Metasystem. We want to continue to work on making SharePoint useful to our customers, not spend a lot of time integrating with each and every identity system one-by-one, or worse, not do it because of resource concerns.”

Veeraraghavan provided a glimpse of Microsoft’s work during a panel session at last month’s Digital ID World conference. Claims are a set of statements that identify a user and provide specific information.The claims are used by systems to make such decisions as who gets access, who can retrieve content or who can complete transactions, according to Microsoft officials.

In the real world, a claim may be as simple as a credit card presented to show the bearer has privileges to secure a transaction with the merchant still holding the right to accept or reject the claim.

The claims architecture, part of Microsoft’s Metasystem model for a distributed identity architecture, is based on such protocols as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML). The Metasystem includes an emerging technology Microsoft developed called Security Token Service (STS), which handles the exchange of claims.

Also, existing technologies such as directories, Kerberos, metadirectories and certificate authorities can serve as “claims transformers,” adding data to a claim or validating existing claim information.

Microsoft hopes the claims architecture, which can be built on technologies available today, will replace identity systems that are based on a single point of truth, typically a directory of user information.

Veeraraghavan said Microsoft is “deep into the engineering process” for switching to a claims-based model in SharePoint. However, he said features of the next release of SharePoint are not being revealed so he could not say when the claims model might show up in the software.

Kim Cameron, Microsoft’s identity architect who helped develop the Metasystem concept and introduced the claims model in April, said at the time he believes an industry transformation to claims-based identity is 18 to 24 months away.

That time frame coincides with the traditional release cycle of the Office family of products that includes SharePoint Server. Office 2007 and the SharePoint Server were released late last year to corporate users.

The claims-based model has three components: the relying party, which needs the claim in order to decide what it is going to do; the identity provider, which provides the claim; and the user, who decides what if any information he wants to provide.

Claims can contain static information such as birth date, relationship-based information such as group membership or derived claims that make general assertions such as the user is over 21 years of age. There are also metaclaims about how information was verified, such as in-person registration, or how it was issued.

Veeraraghavan says SharePoint will use claims in three ways: to securely transmit the requesting user’s identity across machines within SharePoint and systems that interoperate with SharePoint; provide application-specific concepts, such as roles, in SharePoint security so applications can augment claims about the user and allow SharePoint to reason about those claims in the context of authorization decisions; and interoperate with multiple authentication providers in a consistent manner.

Today, SharePoint Server 2007 uses a native Active Directory-based authentication between machines and systems. The current SharePoint identity system does not allow applications to inject extra claims into the user’s profile.

While the claims-based system does offer a measure of flexibility over developing and maintaining an authoritative source of user data, it also requires a more sophisticated trust model.

Experts say the transformation from a single security perimeter and authoritative source of user data to a model of distributed claims to identify a user, to verify payment or access, or personalize services means companies will face challenges in establishing levels of trust among themselves, among claims providers and around managing the risk inherent in those relationships.

Microsoft envisions that its Identity Metasystem architecture will allow claims to be fetched dynamically using the Lightweight Directory Access Protocol or some Web services equivalent, or pushed out using standard protocols such as WS-Federation and SAML.

Today, applications typically pull user access data from the directory to determine access rights to network services.

The push model, Microsoft says, not only provides claims that are usable in many different places, it affords network efficiencies, more easily ties identity into application development, puts less stress on the directory, provides more flexibility in defining a user and their rights, and gives the ability to federate identity with those outside the corporate network.

Microsoft’s Cameron says the claims architecture provides a way to transfer claims, but says nothing about truth. He says the model’s veto power, where either the user or the identity provider can reject the exchange of claims to a relying party, plays a major role in the security of the system.

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022