Claims-based authentification in next SharePoint

Microsoft is replacing the authentication system for SharePoint Server and will instead rely on a new claims-based identity model.

The goal is to have SharePoint incorporate an authentication model that works with any corporate identity system, including Active Directory, LDAPv3-based directories, application-specific databases and new user-centric identity models(LiveID, OpenID) and InfoCard systems(Microsoft’s CardSpace and Novell’s Digital Me).

SharePoint will lose the current authentication system, criticised for its rigidity, in favor of using claims about a user, such as age or group membership, that are passed to obtain access to the SharePoint environment and systems accessed from Sharepoint applications.

The claims architecture, part of Microsoft’s Metasystem model for a distributed identity architecture, is based on such protocols as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML). The Metasystem includes an emerging technology Microsoft developed called Security Token Service (STS), which handles the exchange of claims.

Claims could be built dynamically, picking up information about users and validating existing claims via a trusted source. The advantage of a claims-based system is that it is flexible and designed for heterogeneous identity environments.

From a stratigic point of view, the interesting thing is that Microsoft hopes that the claims architecture, which can be built on technologies available today, will replace identity systems that are based on a single-point-of-truth, typically a directory of user information. Most of today's identity management system are based on the single-point-of-truth policy.

© Copyright 2009, Tomas Elfving