Relationships of Trust
Novell Access Manager: Simplifying Multi-Community Access to SharePoint
Written by Ken Baker
In 2006 Novell and Microsoft announced a set of broad business and technical collaboration initiatives to build, market and support a series of offerings that would make Novell and Microsoft products work better together (Visit www.moreinterop.com). While many of these efforts have focused on interoperability and manageability between Windows and Linux, a recent joint project has simplified administration and security of customers’ SharePoint implementations by using Novell Access Manager to provide multi-community access to SharePoint services.
If you use SharePoint for collaboration and data sharing, you might have encountered difficulties managing access from your various identity stores. While SharePoint supports standard LDAP identity stores, using anything other than Active Directory (AD) for access to SharePoint can create administrative complexity. (See Figure 1.) Even if you’re just using AD, management can be difficult when you have multiple AD identity stores. The identity and access management becomes even more complex if you want to give your partners and customers access to your SharePoint resources, as these communities are often managed in separate identity stores.
To deal with the need to provide SharePoint access to different user communities—inside and outside of your organization—organizations typically have to either supplement their existing identity infrastructures with additional provisioning products to synchronize their different identity stores, or they have to employ manual registration and management processes. In either case, the result is increased complexity and management overhead. But all the complexity and administrative overhead caused by the need for multi-community access to SharePoint can virtually disappear by introducing Novell Access Manager into the mix.
Novell Access Manager can be used as an authentication server for Microsoft SharePoint to help administrators overcome the challenges of managing multi-community access to SharePoint.
Many customers use Novell Access Manager for its access management capabilities in providing secure access to their Web servers. (See Out-of-the-Box Access Management.) It also has the inherent ability to facilitate the management of user authentication and authorization within organizations that have multiple identity stores of different types. Additionally, a Novell Access Manager identity server can provide authentication for provider and consumer services for various identity federation standards. As a result, Novell Access Manager can be used as an authentication server for Microsoft SharePoint to help administrators overcome the challenges of managing multi-community access to SharePoint.
To simplify the management of multi-community access to SharePoint, Novell Access Manager uses identity federation to represent users from multiple identity stores. (See Federation Simplified.) Even though the term federation sometimes conjures up images of increased complexity in some people’s minds, it shouldn’t be the case here. Identity federation is simply a process to securely exchange identity information between or across organizational boundaries. And for SharePoint, Novell Access Manager hides any underlying complexity, simplifying the implementation and management of this identity exchange or federation process.
Novell Access Manager supports a variety of identity federation standards, including Security Assertion Markup Language (SAML), Liberty Alliance and Web Services Federation (WS-Federation). Likewise, Microsoft SharePoint supports Active Directory Federation Services (ADFS), which is based on the WS-Federation standard. Using the common ground provided by the WS-Federation standard, Novell and Microsoft worked together to allow you to use the out-of-the-box capabilities of Novell Access Manager to act as the authentication point for all user access requests to SharePoint. (See Interop Collaboration.)
Key to making it all work is that Novell Access Manager acts as an identity provider with the ability to configure various authentication contracts. These contracts basically specify how you want your users to be authenticated, such as user name/password or some biometric method, as well as specify to which identity stores users should be validated against.
A key advantage of having Novell Access Manager authenticate users for SharePoint is that Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server.
Another key component is the trusted connection between Novell Access Manager and SharePoint. This trusted connection relies on a communication interface established between an identity server on the Novell Access Manager side and an ADFS server on the SharePoint side. Through this trusted interface, the two systems exchange metadata that contains information about each service, including URL endpoints and certificate information.
The third and final aspect of the Novell Access Manager and Microsoft SharePoint relationship consists of the mapping of ADFS-based authentication claims. Your SharePoint administrator will define how the identity information within the authentication claims sent from Novell Access Manager will map to specific SharePoint groups, which in turn ultimately govern access control.