Tuesday, September 11, 2012
Authentication Model in SharePoint 2013
New Authentication Model in SharePoint 2013
SP 2013 preview is available now for few weeks and I am sure many of you have tried SharePoint 2013 by installing it on your standalone box/VM or by getting an account on SharePoint Online, When you log into SharePoint for the first time it looks like that nothing has really changed in terms of authentication but when you dig down Microsoft has made changes to authentication model of SharePoint 2013.
In SharePoint 2010 Claims based authentication was the default authentication mode for SharePoint 2013 web apps and now SharePoint can leverage OAuth and Server to Server (S2S Authentication)
Background of Authentication in SharePoint from 2007 to 2013
MOSS 2007 was base d on capabilities of IIS to provide authentication what we call Classic Authentication Mode, Classic Auth support Basic and Forms Auth , NTML or Kerberos modes but at one time single authentication mechanism was supported on a MOSS web application.
SharePoint 2010 introduced a new authentication mode what we call Claims based authentication, Claims supports FBA and Basic but still Classic was default auth mode for SP 2010 apps.
Claims based auth uses “tokens” that identify the user and specific, customizable attributes about the user (username, email, full name, etc.). Each attribute is known as a claim.
In Preview SharePoint 2013 doesn’t support Classic Auth from UI but you can still do that using power shell .
Server to Server (S2S) Authentication and OAuth for SP 2013 Apps
Server to Server Authentication is another change in auth area in Sharepoint 2013, New server products including SharePoint 2013, Exchange and Lync 2013 are using S2S . This is similar to OAuth for Applications but is for an entire server and is actually delegating the user’s identity to the remote server.
S2S relies on claims behind the scenes to delegate the user’s identity. Where it differs from straight claims is that the delegation is automatic and doesn’t have to be initiated by the user.
OAuth is some thing which is there for a while now and the current version of OAuth is I believe OAuth 2, it is used widely on web these days specially on social networking Apps including open social etc.
In SharePoint 2013, OAuth provides authorization for apps to access specific user resources without the user needing to provide credentials to the app. The idea is to establish a trust ….. Regardless of where the app is actually hosted (on-premise or in the cloud), between the app server and SharePoint allowing the app access to the resources it’s requested.
In the case of an on-premise app, everything is negotiated between the server and SharePoint and an implicit trust exists. This comes from the app being hosted on SharePoint. For the case of cloud-based apps, SharePoint trusts the Azure Access Control Service (ACS).