I’d an interesting question from a customer the other day – they wanted Forms Authentication on extranet access to SharePoint, but using two factor authentication. The product mentioned was RSA SecurID, and this means that to authenticate yourself you need:
- Your Username
- A hardware device that shows a pseudo-randomly generated PIN number which changes every minute or so.
‘Cos the PIN is a pseudo-random sequence, if the token and a server are in sync, you can validate that someone has read that token inside the last minute. It’s an expensive technology – but neat!
The idea is the same as, say, a credit card. More than just saying who I am and that I have some piece of knowledge (e.g. my PIN number), I also have to have a physical object which is hard to duplicate (my credit card). This should make my identity more certain.
Anyway, how does this fit with SharePoint?
The short answer is, it doesn’t. This technology works with and ISA server/Firewall, which is well in front of any SharePoint system. Obviously, this doesn’t stop you using it, but it does mean that you have to log in twice – once to get past the RSA security on the firewall or ISA server, and then once to log in to SharePoint – though this second part is almost more so that SharePoint knows who you are.
Still, it’s easy to imagine that single sign-on would be desirable – is it possible? Well, I found these excellent posts by Pranab Paul:
- SharePoint 2007 (MOSS/WSS) FBA and RSA – Unanswered Questions
- Using HTTP Module for SharePoint 2007 (MOSS/WSS) site using FBA And RSA
(Note: this is backwards – it makes more sense this way around!)
The short “in-case-his-blog-vanishes” description is that the RSA system adds an RSA cookie to the HTTP Request after the user has been authenticated. Pranab had a database of SQL database of the external users with the same name as sent by the RSA system, so he picked up the username from the RSA cookie, and logged the user in!
Now, this did slightly nerf log-out (which would automatically log the user back in), and ‘sign on as a different user’, so his second post details an HTTP module to handle this (i.e. remove the RSA cookie for the signout/access denied pages).
Very cool. Unfortunately, I’m not convinced the customer will go for this when they realise that it means that external users will need some hardware token to gain access. Yeah, I know, that’s the point, but you can see the ‘but I want access and I left my token at work/home/in the car/bath, etc.’ calls coming in – and their admins don’t want that.
Finally, some more links:
- Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 1
- Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 2