Microsoft is replacing the authentication system for SharePoint Server and plans to make the collaboration platform one of the first of the company's marquee applications to rely on a new claims-based identity model.
The goal is to have SharePoint incorporate an authentication model that works with any corporate identity system, including Active Directory, LDAPv3-based directories, application-specific databases and new user-centric identity models, such as LiveID, OpenID and InfoCard systems, including Microsoft's CardSpace and Novell's Digital Me.
SharePoint will lose the rigid authentication system it has today in favor of using claims about a user, such as age or group membership, that are passed to obtain access to the SharePoint environment and to systems integrated with that environment.
Claims could be built dynamically, picking up information about users and validating existing claims via a trusted source as the user traverses a SharePoint environment.
"We don't want to come up with another, or the next, authentication system for SharePoint," says Venkey Veeraraghavan, senior program manager lead for Office SharePoint Server.
Veeraraghavan said Microsoft settled on a claims-based system because it is flexible and designed for heterogeneous identity environments. "It allowed us to invest in one place [SharePoint] and know that we can credibly say we work with multiple systems, especially as they are woven into what we're calling a Metasystem. We want to continue to work on making SharePoint useful to our customers, not spend a lot of time integrating with each and every identity system one-by-one, or worse, not do it because of resource concerns."
Veeraraghavan provided a glimpse of Microsoft's work during a panel session at last month's Digital ID World conference. Claims are a set of statements that identify a user and provide specific information.The claims are used by systems to make such decisions as who gets access, who can retrieve content or who can complete transactions, according to Microsoft officials.
In the real world, a claim may be as simple as a credit card presented to show the bearer has privileges to secure a transaction with the merchant still holding the right to accept or reject the claim.
The claims architecture, part of Microsoft's Metasystem model for a distributed identity architecture, is based on such protocols as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML). The Metasystem includes an emerging technology Microsoft developed called Security Token Service (STS), which handles the exchange of claims.