Home    >    Case Studies    >    Single Sign-On (SSO) Solution Between SharePoint and Silverlight RIA Application

Case Study: Single Sign-On (SSO) Solution Between SharePoint and Silverlight RIA Application

Highlight

  • SharePoint Single Sign-On
  • Active Directory Federation Services v2
  • Silverlight Windows Authentication
  • SharePoint 2010 Secure Store Services

Abstract

A Canadian company developed a Silverlight GIS application which surposed to be integrated with a SharePoint portal. Since both Silverlight application and SharePoint portal use Active Directory and Windows Authentication, enduser have to login twice with same accounts and passwords.It's not convenient at all so we need a Single Sign-On(SSO) solution to solve the double login problem.

Goals

  1. Embedding Silverlight application portal Sharepoint. The Silverlight application needed to be integrated into Sharepoint as a webpart.
  2. Implementing singe-sign on between multiple asp.net web applications & SharePoint' web application based on windows authentication.
  3. Besides Silverlight application,the solution should support single sign-on (SSO) into other applications as well.
  4. The solution need to be secure from end-to-end.

Solution

Technology Required

Solution

  • Authorization in Silverlight

With that in mind, it's pretty weird that there's an essential part that seems to be missing: authentication & authorization. When you look at the Silverlight Core CLR, there's not much there concerning this – although it's a no-brainer for business and enterprise applications: you need to make sure certain parts of your application are only available to users that are authenticated or have a specific role. Sure, you can use the hosting web page & ASP .NET authentication to ensure only authenticated persons can reach your Silverlight application, but there's no out of the box way to enable or block a user from navigating to a specific view in your application.

In Silverlight 4, a new interface was introduced: the INavigationContentLoader interface. Together with that, a Navigation Frame was given a ContentLoader property, which can be set to any class implementing said INavigationContentLoader. As the name implies, the content loader is responsible for (asynchronously) loading the content that's associated with the target Uri. This opens up a whole load of possibilities (I've seen the content loader being used for, for example, loading content from a different XAP), one of which is authorized navigation.

Silverlight Authentication

  • SharePoint 2010 Secure Store Services

Secure Store is a SharePoint service used to store credentials in a Target Application Profile. These profiles help avoid double hop authentication situations and provide control around who has access to what data for a given Target Application Profile. In SharePoint Server 2007, this service was known as Single Sign-On service or SSO.

SharePoint 2010 Secure Store Services

  • A quick recap on the AD FS 2.0 Claims pipeline and engine

As previously described, an AD FS 2.0 federation service is a STS that relies on a claims-based model. In this model, the claims pipeline .represents the path that claims must follow through the federation service before they can be issued as part of a SAML token.

The federation service manages the entire end-to-end process of flowing claims through the various stages of the claims pipeline, which also includes the processing of different claim rule sets by the claim rule-based engine.

pipeline

  • AD FS 2.0 Endpoints

AD FS 2.0 endpoints are used to provide clients with access to federated solutions/applications. Endpoints will issue SAML authentication tokens to clients, after successful client authentication. These endpoints are managed on the federation server(s) (farm) of the AD FS 2.0 federation service, and can be managed, secured and published individually through a (load-balanced) AD FS 2.0 federation server proxy.

The AD FS 2.0 federation server proxy is a deployment mode of AD FS 2.0 specifically designed for that purpose to provide remote access to the internally-hosted AD FS 2.0 service.

endpoint

Benefits to the Client

  • Increases productivity.An apparent benefit of using SSO is that a user can move easily and uninterrupted between services without having to specify their credentials every time. SSO efficiently joins individual services and also removes service boundaries. This makes changing from one task to another much simpler and thus increases productivity.
  • Benefits web developers.SSO also benefits IT administrators as they can save both resources and time through making use of a central web management services. Web and application developers get a total authorization and authentication framework which they can utilize for building user customized and secure services.
  • Better management.SSO provides a single method of managing user information since there is one password and thus there are fixed set of rules. It also offers the capability of enforcing authorization policies throughout the enterprise.