SAML and Windows Authentication - applying permissions twice?

Question

Our SharePoint farm consists of multiple web applications - we would like provided a SSO experience for our employees whether they are working from an unmanaged machine (ex:home PC) or managed machine (ex:work PC).

We would accomplish this using SAML authentication (via ADFS) for unmanaged machines and Windows Authentication for managed machines. If we were to implement this, does that mean we would have to apply permissions twice for each user. Example: for Employee A to access Site A, would we have to apply the identifier claim (which would be Employee A's email in our case) and the SAMAccountName for Windows authentication as permissions on Site A?

We it be better off just to provide a single path for authentication - SAML authentication for unmananged and managed PC's? How do other companies deal with this challenge?

Thank you.

Answer 1

The best approach is SAML for all users. With ADFS & IE setup correctly, the managed PC log-in experience can be seamless (Integrated NTLM), which is likely what you are looking for.

Answer 2

You should be understanding the concept of Authentication Providers in Sharepoint which makes use of claims based authentication. For your requirement you need to implement SSO for your application which would be done by STS in Sharepoint 2010.You need to implement and get the SAML2.0 token from Identity provider(that is where your employees login externally) and convert (email/roles other claims) to SAML1.1 token because Sharepoint does not understand SAML 2.0.So you need to write a code for this conversion.Then run the powershell scripts so that your web application can trust the claims. http://technet.microsoft.com/en-us/library/ff607753.aspx

For internal users use the windows authentication(working url) . No need to have 2 permissions.

Refer:Active Directory Federation Services and SharePoint