locked
Issue with IP authentication using Claim based authentication RRS feed

  • Question

  • We have configured the web application in SPS 2010 for claim based authentication. We are using the Form based and windows authentication for claim. We are able to successfully log in the user using both windows and Form based authentication. In case of form based authentication we have used our own custom membership provider.

     

    However now  we need to authenticate the FBA users by using their IP address and not by their username and password. For this requirement,

    1.       We have created a new HTTP Module for IP Authentication and hooked a handler to FormBasedAuthentication.Authenticate event.

    2.       In the handler method, we are getting the hold of our custom provider and call the method to validate user with IP address.

    3.       If provider validates the user and returns true, we put the cookie(with Form based authentication token) in response object, so that next time it recognize the user and won’t ask for login

     

    Problem and Cause:

    Application is not redirecting to the default page with user logged in.

     

    We tried to use the same http module and our custom provider for a simple ASP.Net application and there it properly authenticates the user using IP and redirects the user to the secure page (where login is required).

     

    Our understanding for this is, in ASP.Net, the application just looks for FormBasedAuthenticationToken in the cookie. However in SharePoint 2010, it only understands the claims provided by STS (Security Token Service). So even though the IP Authentication module validates the user using provider and puts the cookie in response object, the token doesn’t get passed to STS properly and hence SharePoint doesn’t recognize the user and redirects it to Login page.

     

    Findings

    We have come across a method which takes the user name and password for the FBA and converts that into Claim Based Identity. Following is the method.

    SPClaimsUtility.AuthenticateFormsUser(e.Context.Request.Url, "pointbridge", "password");

     

    However we cannot use this method in case of IP authentication, as we will not get Username and Password from the FBA identity.

     

    Friday, July 16, 2010 2:52 PM

Answers

  • Why not write an IP-STS that validates using the IP address and creates a claim to that effect?  Configure SharePoint to use claims based authentication to the IP-STS and grant the claim access to the site.

    When a user tries to access the SharePoint site they will be directed to the Sign In page to select the IP.  You could bypass this page by customising the login page or removing Windows and FBA from the site.

    Tuesday, July 20, 2010 11:56 AM