SharePoint People Picker in Claims-mode Web Applications

The SharePoint People Picker control is used when granting permissions to securable objects for users and groups. As the name implies, the control facilitates the picking of these user and group accounts. (Under the covers, the unique identifier of the account is stored. But in most scenarios, the SharePoint user does not know the unique identifier of users and groups.)

Searching for Users and Groups

In order for the People Picker to find and display user and group accounts, it must access the source of those accounts. In MOSS 2007/WSS3, accounts were provided by two identity providers: Active Directory (AD) and the .Net Membership Provider interface (FBA, which stands for Forms-Based Authentication).

To implement the search capability of the People Picker, Microsoft wrote code to query the AD service or the FBA provider. Both of these providers have a well-defined method for searching the corpus of user/group accounts.

SharePoint 2010 Trusted Identity Provider (aka Claims-mode)

In SharePoint 2010, identity providers other than AD and FBA can be configured. The most popular of these is Active Directory Federation Services. However, any provider that implements the web standards SAML 1.1 and WS-F RP[^n] can be configured. These web standards provide for the sharing of identity information (unique identifiers as well as attributes such as names and group membership) between systems. However, the standards do not provide for sharing identities other than the current, authenticated user.

When the People Picker runs in a web application for which an identity provider other than AD or FBA is enabled, the control cannot perform the search function. The implemented behavior as described by Microsoft:

   …all queries entered in the text box are automatically displayed as if they had been resolved, regardless of whether they are valid users or groups.[^n]

Searching for Users and Groups via custom code

While it would be impractical for Microsoft to write code for the People Picker control to query every identity provider for every SharePoint implementation, they did include the necessary integration methods in the developer's application program interface (API). This interface is called a SharePoint Claim provider.[^n]

A Claim provider can use any necessary algorithm for querying a list of user and group accounts. Also, the claim provider can specify components of the People Picker interface. This combination of capabilities allows developers to build a familiar user interface (e.g. using corporate nomenclature, or presenting a hierarchy of groups or attributes) for SharePoint users.

How it works - Active Directory, AD FS and LDAP

The following steps list the process and components involved in searching and selecting a user or group account in the People Picker. Both classic-mode (AD, FBA) and claims-mode (SAML) providers are listed.

Classic-mode provider (Authenticated by Active Directory)

  1. User enters value in the "Find" box of the People Picker control and clicks the search button (magnifying glass icon)

  2. People Picker prepares a native DirectorySearcher object, incorporating any configuration settings (OrgUnit restrictions,etc.)

  3. People Picker executes search

  4. People Picker renders results

Claims-mode provider (Authenticated by AD FS)

  1. User enters value in the "Find" box of the People Picker control and clicks the search button (magnifying glass icon)

  2. People Picker forwards the value to the configured Claim Provider

  3. Claim Provider prepares an LDAP request, incorporating any environmental constraints and implementing domain-specific logic

  4. Claim Provider invokes LDAP request to the LDAP provider

  5. LDAP provider queries the same user storage medium as AD FS

  6. Claim Provider receives results from LDAP services and passes them to People Picker

  7. People Picker renders results

I attempted to represent this program flow in a diagram. I was inspired by a graphic in the SharePoint appendix in A Guide to Claims based Identity and Access Control (2nd Edition) by Microsoft's patterns and practices group. But my graphic skills are severely deficient. :(

[^1] Plan Authentication Methods (SharePoint Server 2010)

[^2] People Picker Overview (SharePoint Server 2010)

[^3] Custom claims providers for People Picker (SharePoint Server 2010)