Saturday, August 11, 2007

Limitations of Office Integration in a Federated SharePoint Configuration

For the past year, I've worked on a few ADFS projects that have incorporated SharePoint 2007 and the number one issue that seems to always come up are the limitations in Office integration. This isn't something new; we actually experienced it in ADFSv1 and there is even a KB Article which describes which features are lost.

KB 912492 - Windows SharePoint Services and SharePoint Portal Server 2003 Support boundaries for Active Directory Federation Services

With ADFSv2, yes this KB article still applies; however you still get many of the features which operate exclusively through a web browser. Users can still download and upload files, search, and view or edit lists, etc. The problem is not within ADFS nor SharePoint; it's within the Office client which cannot process authentication cookies.

I guess the point I'm trying to make is, you have to re-evaluate the original initiative for exposing SharePoint 2007 as an Internet facing application; partner/customer integration.

From a business perspective, federating applications is much cheaper than managing VPN connections or external (partners) users not even under your domain. In many aspects, it can also be more secure. I mean, all the traffic is being communicated over SSL, right. In my experience, many ADFS customers are able to utilize SharePoint effectively just using the browser with Web SSO.

Believe it or not, this does provide benefits. First of all, IT is able to maintain strict control over what parts of their network can be accessed by partners, therefore eliminating significant problems caused by common practices of managing local accounts/passwords for partners within the DMZ. Just that reason alone reduces the attack surface for Internet facing applications. More reasons would be to,

  • Reduce or prevent IT overhead for password management of external users/partners.
  • To prevent a bad user experience when they forget their password and call their local helpdesk for help instead of the partner site they are trying to access.
  • Prevent the loss of user productivity when they have to request and wait for remote accounts to be created before they can start working with a federated partner.
  • Severe security vulnerabilities when external users are terminated by their enterprise/organization and partners do not receive notification to remove their accounts.

At the end of the day, Information Security must measure what options are readily available to keep their customers productive while still honoring security.

2 comments:

Anonymous said...

Hey Chris, I have not heard from you for some time, but you helped me again :) - this was an issue we were facing and I found a help on your site. Does this also apply to Foms authenticatin applied to MOSS 2007?
- Karel from Prague

- said...

Hi Karel,

How are you? I hope all is well and you are not working too hard…:-), please give everyone my regards. ADFS does support Forms-based authentication when applied with MOSS 2007. Below are some reference configurations I’m pretty sure you already know; however hopefully they help.

http://blogs.msdn.com/harsh/archive/2007/01/10/forms-based-authentication-in-moss.aspx

My blog post is regarding the limitations when using the full Office client to connect to an SharePoint 2007 site using ADFS. The reason that Office clients are not supported in conjunction with SharePoint and ADFS is that Office clients do not consistently work with protocols like WS-Federation passive and most of the SAML protocols that are targeted for browser clients.

Hopefully, in upcoming revisions this will be resolved; however at this time it’s not. If you have any other questions, feel free to ping me. Take care!

Chris