I’d an interesting question from a customer the other day – they wanted Forms Authentication on extranet access to SharePoint, but using two factor authentication. The product mentioned was RSA SecurID, and this means that to authenticate yourself you need:
- Your Username
- A hardware device that shows a pseudo-randomly generated PIN number which changes every minute or so.
‘Cos the PIN is a pseudo-random sequence, if the token and a server are in sync, you can validate that someone has read that token inside the last minute. It’s an expensive technology – but neat!
The idea is the same as, say, a credit card. More than just saying who I am and that I have some piece of knowledge (e.g. my PIN number), I also have to have a physical object which is hard to duplicate (my credit card). This should make my identity more certain.
Anyway, how does this fit with SharePoint?
The short answer is, it doesn’t. This technology works with and ISA server/Firewall, which is well in front of any SharePoint system. Obviously, this doesn’t stop you using it, but it does mean that you have to log in twice – once to get past the RSA security on the firewall or ISA server, and then once to log in to SharePoint – though this second part is almost more so that SharePoint knows who you are.
Still, it’s easy to imagine that single sign-on would be desirable – is it possible? Well, I found these excellent posts by Pranab Paul:
- SharePoint 2007 (MOSS/WSS) FBA and RSA – Unanswered Questions
- Using HTTP Module for SharePoint 2007 (MOSS/WSS) site using FBA And RSA
(Note: this is backwards – it makes more sense this way around!)
The short “in-case-his-blog-vanishes” description is that the RSA system adds an RSA cookie to the HTTP Request after the user has been authenticated. Pranab had a database of SQL database of the external users with the same name as sent by the RSA system, so he picked up the username from the RSA cookie, and logged the user in!
Now, this did slightly nerf log-out (which would automatically log the user back in), and ‘sign on as a different user’, so his second post details an HTTP module to handle this (i.e. remove the RSA cookie for the signout/access denied pages).
Very cool. Unfortunately, I’m not convinced the customer will go for this when they realise that it means that external users will need some hardware token to gain access. Yeah, I know, that’s the point, but you can see the ‘but I want access and I left my token at work/home/in the car/bath, etc.’ calls coming in – and their admins don’t want that.
Finally, some more links:
Andy Burns' Blog 
I Andy, this article has been posted a long time ago but still very interesting…
I have quite the same RSA/SharePoint integration to do and I have a small question…
My rsa server is not using active directory to store user name, we use the rsa internal database.
Users use their rsa pin and token code to login.
I would like to have users connecting SharePoint 2010 using the rsa key.
What about the password to log the user in? I don’t have a fixed password as the rsa code is changing all the time.
Is this possible to create a user session in SP2010 with the user name only (from the cookie) with FBA?
Of course usernames are the same both in SP and RSA database.
thank you for your help.
Regards
Um… pass. I’m not sure. It’s a long time since I looked at this stuff (SharePoint 2007!) and I’d wonder if there wasn’t something that you could achieve using claims auth. I mean, isn’t that all about pluggable identity providers?