The IT Leader's Guide to Multicloud Readiness
This guide provides practical key insights and important factors to consider to make informed decisions in your multicloud journey.
Welcome to the final part of my series on the Claims Infrastructure in SharePoint 2013. In the previous parts, I spoke on Distributed Cache Service and how it’s improved the authentication model in SharePoint 2013. Then I looked at OAuth and SharePoint Apps in relation to their use of claims through the OAuth model. Finally, we looked at Search and Claims, specifically changes to Business Connectivity Services (BCS) that allow claims to be surfaced into the index for better security trimming. In this post, we’re going to focus on Server to Server (S2S) Authentication and the capabilities it provides to pull data from SharePoint 2013, Exchange 2013, Lync 2013, Office Web Apps 2013, and Office 365.
S2S works by sharing certificates between one of the above servers (even if they’re the same type and/or in the cloud) to allow direct reference into the server using the current user’s identity. Once a certificate from each server is deposited in the trust center for the other server, claims can flow across that link. If you remember, in SharePoint 2010, you could publish shared service applications (SSAs) from farm to farm. S2S is a similar concept, but supports crossing into Lync, Exchange, and the cloud. In addition, S2S is an extensible model that other vendors can build into their system (it requires claims and sharing certificates).
The major example of this concept in SharePoint 2013 is the “My Tasks” functionality that’s been added to My Sites. When you click on My Tasks, SharePoint is using Search behind the scenes to find all Tasks assigned to you from everywhere within SharePoint. While that’s cool in and of itself, it would be really cool if My Tasks could also pull Tasks you’ve set in Outlook that are synced in Exchange. Especially since Exchange 2013 uses the same Search engine behind the scenes (yes, FAST is now built into Exchange too). With S2S, this functionality exists out of the box and Search is able to cross the boundary between Exchange and SharePoint to pull the Tasks you’ve set up in Exchange and surface them on your My Tasks list in SharePoint.
The largest example, however, is with Office Web Apps (OWA), which is now its own server application that runs separate of SharePoint and works with Exchange, Lync, and Office 365. OWA supports S2S to get documents out of these other server applications and surface them in the respective web app. You probably didn’t realize that this is what’s going on behind the scenes, but given how powerful S2S is, the sky is the limit. All of this is made possible because each of the server applications understand claims and communicate on the same wavelength thanks to S2S Authentication.
I hope that this post and its three siblings show you that claims is not something to be scared of but instead provides a great amount of flexibility and power that we didn’t have before. Still, there’s a lot of room open to creativity by leveraging the OAuth and S2S functionality that exists inside of SharePoint (and the other Office server applications). Where would you like to see Microsoft take claims next?