Skip to main content

How Does Beowulf Work?

There are several components in Beowulf, and each one works a bit differently. Combined together they provide a significantly improved experience for logging into SharePoint sites.

Security Token / Authentication Service

Beowulf STS sits in front of SharePoint and depending on your specific needs it can work alongside SharePoint's native STS, or can completely replace it. It provides SharePoint supported claims based on multiple possible sources. For internal users, Active Directory logins can be used and both NTLM/Kerberos and forms based logins are possible. For external users, SQL based membership database, LDAP, and a variety of OAuth 2.0 or OpenID Connect compatible authentication providers are supported. Examples include Azure Active Directory, Facebook, Google, OpenID.net, Twitter, Windows Live ID, Yahoo, and Yammer.

People Picker - Profile Claim Provider

The purpose of the claim provider is to allow easy search and selection of claims based users within SharePoint. While SharePoint's out of the box claim provider allows administrators to grant access to claims based users based on matching user-id, email, or role claims. However, the UI provided to accomplish this in SharePoint isn't very intuitive and users don't appear in the People Picker as having their real names, which makes this a poor option for site owners and end-users who also rely on it when completing everyday tasks.

The Beowulf Claim Provider and People Picker solve this problem by allowing claims to be created based on data stored in SharePoint's user profile database or user list (for sites that don't use profiles). This greatly improves the user experience and makes claims authentication manageable for everyday use, regardless of what system does the authentication.

Claims to Profiles Conversion Module

Of course, finding a user by their profile data only makes sense if you have profile data for the users in the first place. It is also often true that SharePoint fails to synchronize user data stored in sites with user profiles, leading to much confusion. Beowulf solves this problem  by copying claims data from well-known sources like AD or Google into the user's profile automatically. If any needed information is missing from the user's profile, they can be redirected to complete their profile manually. As a final step, Beowulf also checks the user's information on the site to make sure it matches what is stored in the profile, and resolves any differences.

Sign-out Assistant for SharePoint 2010

Claims based authentication in SharePoint can often break the out of the box sign out pages, especially in older versions of SharePoint. The main reason for this is that they are not aware of the need to notify upstream claims providers when a logout has taken place. As a result, users who log out or try to login as another user will be directed to the claim provider, recognized as having already logged in, re-authenticated, and then redirected to SharePoint where they are logged back into the site.

This is a frustrating problem that Beowulf solves by replacing standard sign-out page with one that respects the claims authentication process and provides sign-out notification and authentication cookie destruction as needed to complete the sign out.

Automated Realm Discovery - Assisted Sign-in

SharePoint STS includes a realm picker which allows users to choose between Windows Authentication or forms/claim authentication. This process is called realm discovery. However, this dropdown screen is not very intelligent and will typically prompt the user every time the login to SharePoint. If you configure an upstream claims provider, such as Beowulf or ADFS, then this will also have a realm discovery screen. The effect on the user is a double-dropdown, which is not ideal.

Beowulf solves this problem by replacing SharePoint's realm discovery page with its own more intelligent version. Realms can be automatically determined by user's IP address or other rules, thus eliminating the extra choice screen but allowing SharePoint Windows Authentication to coexist peacefully with claims authentication.

Of course, since our People Picker can be deployed to work in a single web application for all types of users (both claims and Windows), regardless of individual authentication providers, most of our clients find that they don't need this service to support Windows users on the back-end. In such cases, it is typically sufficient to enable Windows Authentication in only the extended web application zone, and use only claims authentication for the public facing zone, thus eliminating SharePoint's realm discovery page entirely.

Multi-factor Authentication Module

With any modern web site accessible from the Internet, it has rapidly become necessary to have additional security on top of a username and password. Advanced single-sign-on solutions or application aware firewalls are one option to provide this extra security, but for many users of SharePoint they can be cost prohibitive and are often too complex to be a realistic option.

Beowulf provides added security through the use of multi-factor authentication which can be delivered in a number of ways. One-time-use codes can be transmitted at login via a secondary email address or SMS text message to the user's mobile phone. This system also supports software based token systems (HOTP/TOTP) - a cheaper option than hardware tokens from RSA or Symantec. Users can be prompted for the one-time code at every login, or only when they access the system from a new computer or network address.

While Beowulf multi-factor authentication was originally designed to be provided as part of the Security Token Service, our solution can also provide enhanced security for Windows Authentication based users who are not logged into the system through the Beowulf STS, but instead use SharePoint native Windows logins. Beowulf can also secure many other web applications that are based on ASP.net or support SAML SSO authentication, making it an ideal choice if you need to roll out MFA across more than just your SHarePoint farm.

Session Sidecar Sign-out Enforcement Module

SharePoint provides options for session and cookie based claims authentication. However, session authentication requires users to login multiple times whenever they open documents in Microsoft Office applications such as Word or Excel. This is a less then ideal user experience, leading many SharePoint implementers to comprimises when it comes to security.

Beowulf solves this problem by riding shotgun alongside SharePoint's cookie based authentication, enforcing user sign out after a specified time period of inactivity, and/or when the user's browser session has been closed.