Relationships of Trust
Novell Access Manager: Simplifying Multi-Community Access to SharePoint
Written by Ken Baker
In 2006 Novell and Microsoft announced a set of broad business and technical collaboration initiatives to build, market and support a series of offerings that would make Novell and Microsoft products work better together (Visit www.moreinterop.com). While many of these efforts have focused on interoperability and manageability between Windows and Linux, a recent joint project has simplified administration and security of customers’ SharePoint implementations by using Novell Access Manager to provide multi-community access to SharePoint services.
If you use SharePoint for collaboration and data sharing, you might have encountered difficulties managing access from your various identity stores. While SharePoint supports standard LDAP identity stores, using anything other than Active Directory (AD) for access to SharePoint can create administrative complexity. (See Figure 1.) Even if you’re just using AD, management can be difficult when you have multiple AD identity stores. The identity and access management becomes even more complex if you want to give your partners and customers access to your SharePoint resources, as these communities are often managed in separate identity stores.
To deal with the need to provide SharePoint access to different user communities—inside and outside of your organization—organizations typically have to either supplement their existing identity infrastructures with additional provisioning products to synchronize their different identity stores, or they have to employ manual registration and management processes. In either case, the result is increased complexity and management overhead. But all the complexity and administrative overhead caused by the need for multi-community access to SharePoint can virtually disappear by introducing Novell Access Manager into the mix.
Novell Access Manager can be used as an authentication server for Microsoft SharePoint to help administrators overcome the challenges of managing multi-community access to SharePoint.
Many customers use Novell Access Manager for its access management capabilities in providing secure access to their Web servers. (See Out-of-the-Box Access Management.) It also has the inherent ability to facilitate the management of user authentication and authorization within organizations that have multiple identity stores of different types. Additionally, a Novell Access Manager identity server can provide authentication for provider and consumer services for various identity federation standards. As a result, Novell Access Manager can be used as an authentication server for Microsoft SharePoint to help administrators overcome the challenges of managing multi-community access to SharePoint.
To simplify the management of multi-community access to SharePoint, Novell Access Manager uses identity federation to represent users from multiple identity stores. (See Federation Simplified.) Even though the term federation sometimes conjures up images of increased complexity in some people’s minds, it shouldn’t be the case here. Identity federation is simply a process to securely exchange identity information between or across organizational boundaries. And for SharePoint, Novell Access Manager hides any underlying complexity, simplifying the implementation and management of this identity exchange or federation process.
Novell Access Manager supports a variety of identity federation standards, including Security Assertion Markup Language (SAML), Liberty Alliance and Web Services Federation (WS-Federation). Likewise, Microsoft SharePoint supports Active Directory Federation Services (ADFS), which is based on the WS-Federation standard. Using the common ground provided by the WS-Federation standard, Novell and Microsoft worked together to allow you to use the out-of-the-box capabilities of Novell Access Manager to act as the authentication point for all user access requests to SharePoint. (See Interop Collaboration.)
Key to making it all work is that Novell Access Manager acts as an identity provider with the ability to configure various authentication contracts. These contracts basically specify how you want your users to be authenticated, such as user name/password or some biometric method, as well as specify to which identity stores users should be validated against.
Another key component is the trusted connection between Novell Access Manager and SharePoint. This trusted connection relies on a communication interface established between an identity server on the Novell Access Manager side and an ADFS server on the SharePoint side. Through this trusted interface, the two systems exchange metadata that contains information about each service, including URL endpoints and certificate information.
A key advantage of having Novell Access Manager authenticate users for SharePoint is that Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server.
The third and final aspect of the Novell Access Manager and Microsoft SharePoint relationship consists of the mapping of ADFS-based authentication claims. Your SharePoint administrator will define how the identity information within the authentication claims sent from Novell Access Manager will map to specific SharePoint groups, which in turn ultimately govern access control.
The different technologies work together to simplify access management to SharePoint in a way that eliminates the need to manage individual identities in a single Active Directory identity store. (See Figure 2.) The basic process flows as follows in a near instantaneous manner:
- When users request access to SharePoint, the requests get passed to an ADFS server.
- The ADFS server redirects the request to the Novell Access Manager identity server acting as the identity provider.
- The identity server validates those users and their credentials against their identity information contained in the appropriate identity store.
- Once validated, the identity server transforms the user identity into a set of ADFS claims (A collection of specially formatted user authentication information, such as name, identity, key, group, privilege, etc.).
- The identity server sends the ADFS claim back to the ADFS server, which will interpret those claims based on a preconfigured mapping between ADFS claims and SharePoint groups.
- Based on the interpretation of those claims, users will be granted the appropriate access to SharePoint.
To create the trusted Novell Access Manager and Microsoft SharePoint relationship, you first need to set up Novell Access Manager as an authentication service for SharePoint by doing the following:
- Install a Novell Access Manager identity server.
- Edit the Identity Server configuration from the Novell Access Managers administration console.
- In the Enabled Protocols section under the General tab, select the STS and WS Federation protocols.
- On the Identity Servers page, create and enable an attribute set for WS Federation.
- To establish a trusted relationship with the ADFS server, create a new service provider on the Identity Server page, specifying the name of the service provider (i.e., TreyResearch, which is the default name for the ADFS resource server), the provider ID of the ADFS server, the sign-on URL, the logout URL and the path to the signing certificate for the ADFS server.
Once you have a Novell Access Manager identity server set up as an authentication service for WS-Federation/ADFS, your SharePoint administrator will then need to configure SharePoint’s ADFS server to accept that identity server as a trusted identity provider. The final step is to have your SharePoint administrator define the appropriate mappings for the authentication claims.
Novell Access Manager lets you preserve the identity stores that already exist within your organization.
Simple, Secured Trust
A key advantage of having Novell Access Manager authenticate users for SharePoint is that Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server. (See Figure 3.) It can also be customized to support additional LDAP identity stores. As a result, Novell Access Manager lets you preserve the identity stores that already exist within your organization. You don’t have to move them to AD or consolidate them into a single identity store just to facilitate management of your SharePoint environment. It also lets you give your customers and partners access to SharePoint without having to replicate their identity stores.
As mentioned earlier, Novell Access Manager also supports other federation specifications, making it easy to manage all of your user access and trusted identity relationships from a single source. Since the support for all these different identity stores and federation standards are native to Novell Access Manager, you don’t need additional components as you look to simplify and increase your user authentication and authorization capabilities.
To learn more how Novell Access Manager can simplify management of your SharePoint environment watch a Novell webinar on SharePoint administration simplified or visit the Novell Access Manager page.