Claim-based Identity in SharePoint 2010

SharePoint 2010 includes Claim-based Identity framework as its new identity management feature. It involves a trusted identity authority issuing tokens that are consumed by SharePoint 2010. It does not replace the classic Windows Integrated or Form Based Authentication (FBA) in SharePoint 2007. It is actually a new framework under which Windows Integrated or FBA can be used along with other authentication methods.

First, here are some key concepts in Claim-based Identity:

• Identity: a set of information about an entity, such as a user
• Claim: a piece of information about the identity, such as user's name
• Security Token: it contains a set of claims and digitally signed by an identity authority
• STS: Security Token Service. It is a trusted identity authority that validates claims about identities and issues security tokens. The protocol used for issuing security tokens is based on WS-Trust. Trust relationship can be establised between STSs
• Identity Provider STS (IP-STS): An IP-STS authenticates a client and creates a SAML token based on the claims.
• Relying Party STS (RP-STS): RP-STS does not authenticate the client, but relies on a SAML token provided by an IP-STS that it trusts. It transforms the claims and issues new tokens based on the rules and policies.
• SMAL: a standard security token format

Be aware that Claim-based Identity is not a Microsoft's proprietary technology, but based on standards such as SMAL, WS-Trust and WS-Federation. For example you can use Novell Access Manager as a STS on a non-Windows platform.

Here are some benefits of using Claim-based Identity:

• It allows Federated Identity architecture which is easier to administrate, and potentially more secure.
• Unified authentication approach makes developer's life easier
• Application offloads complex authentication and identity management to a third party Identity Authority (STS)
• Application can get more identity information (claims) about the entity than simply user id
• Application can request the exact claims it needs by setting up policy.

Claim-based Identity in SharePoint 2010

SharePoint 2010 has a build-in STS (that is called it SP-STS). When Claim-based Identity mode is turned on, SharePoint 2010 is configured to only accept the security tokens issued by SP-STS. SP-STS can be used as either IP-STS, or RP-STS.

When SP-STS is used as IP-STS, browser or client is authenticated with SP-STS either using Windows authentication or Form-based authentication (aka ASP.NET authentication). Then security token is passed to SP 2010 to login. See the diagram below.

When SP-STS is used as RP-STS, browser or client is authenticated with a different IP-STS which may not be a Windows identity provider. This IP-STS is trusted by SP-STS. Client passes security token issued by the IP-STS to SP-STS. SP-STS then issues a new token which is acceptable by SharePoint 2010.