Hi Gurus
I wanted to ask you a few questions about a solution I am working on at the moment. I shall appreciate any assistance in this regard.
A brief synopsis of the solution:
The customer has a working ADFS solution in place. They have a SharePoint site where users will come, click on a URL and get redirected to a partner portal, where they will be logged in without being prompted for their credentials. At the moment the customer has no way of identifying users in the SharePoint site. We are working closely with the partner to integrate their portal in the customer environment. Their portal is Single Sign on and Security Assertion Markup Language (SAML)aware. Insight will also be delivering a FIM infrastructure with the Synchronization and Password Reset Portal services enabled. The plan is to have the FIM sync the account details from the customer’s AD, and submit it to the partner portal’s web service. ThePartner will not be providing access to their LDAP directory to CUSTOMER. Rather they will be providing a web service (a Clearview web server) for FIM server to send the AD account info to. The partner will manage the data from their end to keep their LDAP directory in sync with the customer AD. The single sign on solution of the partner works on the assumption that the users need to be authenticated when they click on the URL so that their session information can be passed to the partner portal.
The questions I have are as follows:
SharePoint questions–
- To authenticate external/internal users to the Sharepoint site, should claims based authentication be used in SharePoint? Do you believe that there are any other options than Claims based authentication?
- Can SharePoint leverage the existing ADFS implementation or will the claims based authentication mandate users to login again using their credentials when they arrive at the SharePoint site?
- If we wanted to notify the users Can the users be reminded/notified about the impending expiry of their password? Can that be done natively through SharePoint or this needs to be done at the AD level? That is, to inform the users of password expiry, can there be a SharePoint page or can they be informed by AD?
FIM questions -
- If the notification can be configured, then in the notification, can the URL for the Password Reset Portal be included? That is, if it is a SharePoint page then it needs to display the URL
of the password portal. The same for the email notification.
- Alternatively if the password has already expired can the users be redirected to the portal instead of telling them that the password has expired?
- Will we be able to manually trigger sending a password reset link to an email address not tied to the user’s AD account? This is for first time external users who will not have an email account in the customer’s environment.
- Considering the situation where FIM Synchronization service is sending the account information to a web service, the question is can FIM Directory Sync do that out of the box? Partner has indicated
that no customization will be needed on the FIM, but I wanted to confirm.
- For the FIM server to work with the web service, does it need to communicate over a VPN tunnel or just normal HTTPS traffic over port 443 can work as well? What is the supported and suggested method to do this?
Please let me know what you think. Thanks in advance