Liam Cleary is an internationally recognised speaker who will be presenting a session at ESPC 2014 on “Think You Can Hack SharePoint?”. As part of European SharePoint Training Week Liam presented a session on “SharePoint Authentication and Authorization”. Here are the questions of attendees and Liam’s responses.
Q: We’ve tried Azure ACS Google & Yahoo IDs work fine but Live ID Email addresses arent passed through! Is there an easy solution to this?
(with SharePoint 2013 on premise)
Live ID uses the core User Principle name (UPN) which is actually mapped to Name Identifier, you should be using that as the unique identifier for authentication. Windows Live also only supports two claims: http://msdn.microsoft.com/en-us/library/gg185944.aspx. You could achieve this though by writing a custom Identity Provider and using the API call for this instead of ACS, or even better creating the Custom Identity Provider and adding it to ACS.
Q: In order to use or setup a sharepoint resource, are you require to have Active Directory background or need Active Directory
No you do not need Active Directory, a little knowledge does help though, simply for creating accounts etc.
Q: Hi Liam. I’m keen to understand the implications of enabling Constrained Delegation on the service account used for Excel Services when it’s one of many service apps under a single Application Pool and the testing needed to ensure nothing untoward has happened.
There should be no implications if you need to use constrained delegation on the account. If services that are using that need it, then it will need to be configured for that, other than that it will only be used in the “delegated” process when need only.
Q: Hello, I’m Nizar from Tunisia, I have a SharePoint farm under claims authentication using ADFS; I’m creating a custom connector to connect SharePoint to external data source, connection is made using SOAP web service and this web service use the SAML Token to authenticate user.
My question is how can I extract the SAML Token of the connected user on SharePoint to send it throw the web service?
There are some 3rdParty libraries you could use for that, or the real way of doing it is to write the web service as a WCF end point and enable it for use with ADFS. You can secure web services this way too.
Really ADFS is the core Microsoft platform for this, unless you are looking at a Microsoft based platform such as Site Minder. All of these technologies have challenges when implementing them into an organization. Most of the issues are really around understanding how the process works and the impacts on application access.
Q: pls suggest easy solution to manage access control for user moving to role A to role B?
Active Directory Security groups are great for this. You define the permission to the application such as SharePoint, using the security groups. If that individual who is a member of group A moves to group B then removing the user from Group A in ACD and then into Group B will resolve this. Same is true if you are using SharePoint security groups, add / remove users will change the permission set.
Q: Home page need to be display based on authenticate users belongs to country, how can i achieve in Office 365?
This is really where the out of the box feature set is the only option without writing custom code or generating claims for the users. http://office.microsoft.com/en-us/office365-sharepoint-online-enterprise-help/create-a-multi-language-website-HA102886546.aspx
