In this post we will discuss about high-trust app in SharePoint 2013. Also you can check out my previous posts on:
– SharePoint 2013 App Component
– Difference between SharePoint-hosted, auto-hosted and Provider-hosted apps in SharePoint 2013
– Keyword Query Language (KQL) enhancement in SharePoint 2013
A high-trust app in SharePoint 2013 is a specific type of deployment where both the SharePoint farm and a remote site exist behind the same firewall. This is an entirely on-premise scenario. In a high-trust app, the remote web application is responsible for creating the access tokens used to access SharePoint resources. This means that the remote site has the ability to emulate any valid user when connecting to SharePoint. That is why these apps are referred to as being high-trust.
A high-trust app requires special configurations to function within a farm. In general, the steps to set up a high-trust app are as follows:
1. Both the server farm and the remote site must be deployed internally, not in the cloud.
2. An application certificate is created to identify the app.
3. The certificate is configured in SharePoint so that SharePoint will trust the app to issue user identities.
4. A local OAuth Security Token Service (STS) is configured to support authorization. This is necessary because the Windows Azure Access Control Service (ACS) serves only cloud-based applications.
A high-trust app is not the same as a full-trust solution in SharePoint. A full-trust application can perform any action within the SharePoint farm simply by calling an API to elevate its own privileges. A high-trust app can only take on the permissions already assigned to a given user by supplying that user’s identity. The remote app is responsible for determining the correct user to emulate. This may be as simple as returning the same logged in user name provided by SharePoint in the original request.
While the setup and security considerations of a high-trust app may seem daunting, many of these configurations only have to be performed once for each SharePoint farm. A high-trust app can be thought of as any provider-hosted app where both the SharePoint app web and the remote web reside inside the organization’s firewall.