As part of some claims based authentication work I've been doing recently, I've come across two very important constraints. They are manageable constraints, but they are things that you need to know about in advance of setting up and configuring your claims infrastructure in SharePoint 2010. The big items to be aware of:
** UPDATE **
There has been some scripts that have shown in some cases they can seemingly update the list of claim mappings associated with the SPTrustedIdentityTokenIssuer after the fact. After discussing with some folks on the claims test team, the advice is to not use those - you should consider the claim mappings immutable with the RTM release of the product. That may change in the future, but for the RTM release this is how we're going to address it.
So, these are important constraints to be aware of, but they can definitely be managed without too much fuss as long as you are aware of them up front.
I like your posts on claims very informative.
One thing I have discovered with claims and BCS is that the certificate used to sign the claim in the oob installation i.e. "SharePoint Security Token Service" is not compatible with Java's metro web services Metro requires the cert to be a CA. I wonder if you have come accross aa way of changing the signing cert. I have tried creating a new cert and calling this command Set-SPSecurityTokenServiceConfig -SigningCertificateThumbprint "413cdbb21c861fcb19c1ee71b9ed2cae748ae10f" which works but the n the entire trust for SP is blown out the window. I imagine there are more steps to be performed but I can't find any documentation.
FYI I am using TAP builds
Great article, and extremelly useful! By the way, do you know if there is any LiveID provider for Claims-Based authentication to be used on SharePoint 2010? I've seen we can still use classic mode and 2007 developments to achieve this but I wonder if there is any improvement in this area.
Check following link if you look for a OpenID or Live ID provider for SharePoint 2010 with Claims Based Authentication
Is there a way to implement claim based auth in MOSS 2007. Can we get it customised.
Any help is appreatiated.
Thanks In Advance.
Should the immutable nature of claims mappings be taken into account when choosing hub vs direct for multiple Partner IdPs/STSes? Hub model implies that you could not change claims mappings for any IdP without deleting and recreating the Hub SPTrustedIdentityTokenIssuer - which could be epic. With direct you would only affect the individual IdP/Partner. I guess you could handle it all with transformations at Hub STS, but only if there were sufficient existing mappings defined for the Hub STS. Seems to indicate careful consideration of claims mappings would be sensible when using Hub model.
Is this still true for SP2013 RTM? I found this article which seems to work fine... sharepintblog.com/.../adding-additional-claims-to-a-trusted-identity-token-issuer