search

AnantLabs / google-enterprise-connector-sharepoint

Automatically exported from code.google.com/p/google-enterprise-connector-sharepoint
0 stars 0 forks source link

Connector AnthN and AuthZ fails when ADFS user #150

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
ADFS is described at:
http://blog.fpweb.net/federated-identity-and-microsoft-adfs-illustrated/

A custom SAML bridge is used to support ADFS AuthN

a) The Gsa has to search sharepoint documents accessed by user of several
domains where the authz rules are defined by groups.

These groups are in the saml authn token. Every application that have to
use these groups have to discover them from the token (only local user groups
can be discover by SPUtility.ResolveWindowsPrincipal).

b) The system uses ADFS that uses SAML as authN protocol but signs the
artifactResolve.

To solve the problem b) authentication part of saml bridge can be 
configured to use an external http module disabling the integrated windows
authN (we have to authenticate user of
multiple domains using SAML).

The authentication process is successful using this configuration.

For the point a) Use the AuthZ module of Google *Services for
SharePoint" but look at the code we discover that:

1) The gsa connector call the AuthZ module passing only the username and not
all the SAML token (with groups information).

2) The AuthZ module tryes to discover the user groups using "
SPUtility.ResolveWindowsPrincipal", this function is able to give us the
groups of the windows user but not the other because they are in the SAML
token and windows does'nt know them.

3) If the AuthZ module does'nt know the user group and it'sn able to give
the visibility info at the GSA.

It seems to us that this scenario (where the user profiling is distribuited
and the info are sended throught the SAML token) could be quite usual in a
distribuited environment

This is related to Case 00630384.

Original issue reported on code.google.com by j.dars...@gmail.com on 24 Apr 2010 at 12:54

GoogleCodeExporter commented 9 years ago

Original comment by j.dars...@gmail.com on 24 Apr 2010 at 12:54

GoogleCodeExporter commented 9 years ago 
This issue is filed as Google issue #6513768

Original comment by tdnguyen@google.com on 18 May 2012 at 12:20