I was just thinking to collect all the relevant details and bring how the Claim Based Authentication comes in SharePoint 2010. It will be very difficult to cover in under 1 post.
I will try to cover as much I can and will cover rest in next updates:
I have taken Reference from some books to understand the same and using some of content in brief to explain it further.
Major Points which I think:
1) How the need of claim based authentication generated.
2) What are the services help to work on it.
3) How the package is prepared and brought to the forefront in SharePoint 2010.
How the need of claim based authentication generated.
Root of this need is coming from MOSS 2007 itself or even before. Hats off to Microsoft!!!.
We know the way how to configure the MOSS environment for access over the Internet.
a) Using SSL.
b) Using MS-ISA Servers as application proxy.
But what for partners and other users living outside your organization? If there is a need to give them limited access to your SharePoint server, it can be done! Before you do this, you must understand how SharePoint controls what the user can do with its access control feature.
If you want to allow access to a user outside your organization, it must be possible to authenticate that user. In other words, the external user needs to log on and this will be a problem with external users because they don’t have a user account in your network. One simple way to resolve this is to create a local user account for each of these external users. You can assign the user membership in any SharePoint group you like, and you can create rules in the MS ISA server to control exactly what part of SharePoint they can access. The external user must remember to log on with the local account you created. But this was not a perfect solution but a work around. Lets understand how?????
Cons with This Solution
It works, this is true, but what happens if this external person moves to another company? example, suppose that Mr. A works for the company ABC. A is involved in a project in your organization, XYZ , and needs access to the SharePoint site where all the project information is stored. You create a local user account for A and grant him the proper access, and tell him the URL for the project site and that his logon name is XYZ(Domain)\ A. He starts working on the project, and everything works as expected. One month later, A leaves ABC, and starts working for its competitor, GDC. You don’t have an agreement with GDC, so its employees are not allowed access to your project site. You need to disable the account XYZ\ A. But how will you know that A has left his old company, ABC? There is no automatic process that will inform you about this. Hopefully, someone at ABC tells you this, or somebody in the project team gets this information and tells you. Clearly, this situation will be very hard to handle if you have 10 or more external partners. But at the moment, this is how things work.
A new feature in MOSS 2007 called Forms Based Authentication comes for external users to create login and store those external accounts in an SQL Server database, instead of the Active Directory.
This can be the solution in MOSS 2007. But still we are behind the perfect.
Here’s comes the foundation for Claim Based Authentication.
I will come with next 2 major point in next blog very soon.
Feel free to Rate and provide feedback if you find post useful
Hope this help