Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
How Claims is Changin...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
About Protiviti
INDIA (3)
Protiviti (www.protiviti...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
• Introduction to the Concept of Claims
– Types of...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
• User attributes
• Metadata about a user
• AD att...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Trust!
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
What is a Claim?
Claims are trusted assertions I m...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
• Name Antonio Maio
• Email antonio.maio@protiviti...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Authentication
The process of determining that som...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Configuring Claims Based Authentication
• Central ...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Configuring Claims Based Authentication
PowerShell...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Types of Claims Retrieved
• Standard Claims
– Only...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
How do I know which claims were
retrieved?
• Use t...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Authorization
Determining what resources users are...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Simple Permission Examples
Users and Groups
• Fina...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Permission Examples: Claims
• Remember: Claims are...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
People Picker
1. Type the value of the claim in th...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
People Picker and Assigning Permission
• Once the ...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Enabling Claims Based Authorization
 Planning Req...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Enabling Claims Based Authorization
 High Level S...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Relying
Party (RP)
Trusted Identity Provider (IP)
...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Relying
Party (RP)
Trusted Identity Provider (IP)
...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
• Select a Standards-based Identity Provider (SAML...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Augmenting Claims - Custom Claim Providers
• Used ...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Custom Claim Provider Deployment
• Deployed as a F...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Common Customer Needs
• How do I secure access to ...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
What Types of Claims are Useful?
• Military, Intel...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Intelligence Military Examples
Classification
Cave...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Commercial Example
• Claim: Employee Status
• Docu...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Government Example
• Claim: Client Case Numbers
• ...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
Summary
• Claims Based Authentication/Authorizatio...
© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
• 7th Annual Conference
• 6 SharePoint MVPs presen...
Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Thank You!
Email: Ant...
Upcoming SlideShare
Loading in...5
×

How Claims is Changing the Way We Authenticate and Authorize in SharePoint

931

Published on

How Claims is Changing the Way We Authenticate and Authorize in SharePoint

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
931
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

How Claims is Changing the Way We Authenticate and Authorize in SharePoint

  1. 1. Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP How Claims is Changing the Way We Authenticate and Authorize in SharePoint Email: Antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2
  2. 2. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. About Protiviti INDIA (3) Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. • 2,500+ professionals • 1,000+ clients • 70+ offices • Over 20 countries in the Americas, Europe and Asia-Pacific Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.
  3. 3. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • Introduction to the Concept of Claims – Types of Claims Retrieved – How do I know which ones? • Authentication vs Authorization – Claims Based Authentication – Using Claims for Authorization – Permissions – People Picker • Architecture and Trusted Identity Providers – Enabling Claims Based Authorization with Trusted Identity Providers – Customizing Claims Authentication Process – Augmenting Claims with Custom Claim Providers • Common Customer Needs and Scenarios Agenda
  4. 4. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • User attributes • Metadata about a user • AD attributes/LDAP attributes What is a Claim? What’s Missing?
  5. 5. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Trust!
  6. 6. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What is a Claim? Claims are trusted assertions I make about myself – Identity attributes retrieved from a trusted identity provider – Digitally signed so that I can verify the identity provider – Packaged and signed in a standards-based way (ex. SAML) (SAML = Security Assertion Markup Language) Allow me to take my identity across network boundaries in a trusted and secure way!
  7. 7. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • Name Antonio Maio • Email antonio.maio@protiviti.com • Company, Department Protiviti, SharePoint Practice • Security Clearance Secret (Canada) • Military Rank <none> • Employment Status FTE • Over 18 Years Old Yes • Valid Driver’s License Yes • Country of Birth Canada • Citizenship Canadian, Italian • Residence Dallas, Texas, USA Consider, why do you trust them? Claims About Me
  8. 8. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Authentication The process of determining that someone is who they say they are • Typically done today through username/password SharePoint 2013 – Claims Based Authentication is the default Auth’n method • New Web Applications are Claims Enabled • Classic Mode authentication has been deprecated - Only thru PowerShell How do Claims all us to go beyond classic authentication?  Single Sign-On across systems in different domains  Federate between SharePoint On Premise and O365  Verify additional info about a user during the authentication process  Required for new SharePoint 2013 features like Server-server Auth, App Authentication
  9. 9. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Configuring Claims Based Authentication • Central Admin > Manage Web Applications > New Web Application • By default claims enabled • SSL is required for most scenarios • Trusted identity providers • Server to Server Authentication • App Authentication • Select your Authentication Protocol • Windows Auth: NTLM or Kerberos • Forms Based • Trusted Identity Provider (SAML) or some combination…
  10. 10. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Configuring Claims Based Authentication PowerShell • Ensure you have the correct permissions (securityadmin and dbowner on DB, part of administrators group on server) • Sample: $ap = New-SPAuthenticationProvider New-SPWebApplication -Name "Contoso Internet Site" -Port 443 -HostHeader sharepoint.contoso.com - URL "https://www.contoso.com" -ApplicationPool "ContosoAppPool" -ApplicationPoolAccount (Get- SPManagedAccount "DOMAINjdoe") -AuthenticationProvider $ap -SecureSocketsLayer New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> -ApplicationPoolAccount <ApplicationPoolAccount> -URL <URL> -Port <Port> -AuthenticationProvider $ap Where: <Name> is the name of the new web application that uses claims-based authentication. <ApplicationPool> is the name of the application pool. <ApplicationPoolAccount> is the user account that this application pool will run as. <URL> is the public URL for this web application. <Port> is the port on which the web application will be created in IIS.
  11. 11. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Types of Claims Retrieved • Standard Claims – Only claims retrieved when using NTLM/Kerberos – Only claims supported through Office 365/SharePoint Online • Custom Claims – Trusted Identity Provider required: ADFS, Ping Federate, Thinktecture, etc. Name identifier Primary SID Primary Group SID UPN User Logon Name User ID Name Identity Provider Name Issuer Is Authenticated Farm ID Role Group SID
  12. 12. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. How do I know which claims were retrieved? • Use the SharePoint Claims Web Part developed by Steve Peschka Download and Configuration instructions available here: http://www.trustsharepoint.com/2013/04/how-do-i-know-which-claims-were.html
  13. 13. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Authorization Determining what resources users are permitted to access and what actions they’re permitted to perform • Typically through permissions in SharePoint • How do claims allow us to go beyond simple Permissions?  Be specific to the user  Be done without knowing who the user is  Be dynamic – ex. changes in a user’s security clearance are reflected  Include environmental attributes (current time, GEO location, connection type, etc.)  Be an alternative to security groups – Groups do not scale  Example: user must be part of GroupA and GroupB and GroupC to access a resources
  14. 14. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Simple Permission Examples Users and Groups • Finance AD Group has Full Control on Library A • ProjectXContractor SP Group has Read access on site B • Antonio.Maio AD user has Contribute access on Document C Principle (user or group) Permission Level (collection of permissions) Information Object (item or container)
  15. 15. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Permission Examples: Claims • Remember: Claims are trusted attributes about a user • May assign a Claim as part of a permission to an object or container (just like a user or group) • ‘SecurityClearance=Secret’ has Full Control access on Document X • ‘ITARCleared=True’ has Read access on Library Y • ‘EmploymentStatus=FTE’ has Contribute access on Site Z Principle (a claim in this case) Permission Level (collection of permissions) Information Object (item or container)
  16. 16. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. People Picker 1. Type the value of the claim in the Find field (Top Secret in our example) Note: people picker cannot resolve values. Typos will appear here as if they are valid values. It will display multiple valid selections for your value, one for each claim type available. 2. Next, you select the attribute type in the All Search Results list on the left side – in our case we select Clearance. 3. The list on the right side will then reduce the view to one selection for the attribute type selected. Select that attribute type in the right list now. 4. Click the Add button, and then click OK
  17. 17. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. People Picker and Assigning Permission • Once the claim is selected it can be assigned as a permission with a permission level to some securable object
  18. 18. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Enabling Claims Based Authorization  Planning Required  Driven by a need to secure information at more granular level  Standard Claims Typically are Not Sufficient  Determining policies, claims, getting stakeholders to agree, etc.  Which trusted identity provider? Which attribute store?  Infrastructure Required  Storing, managing, retrieving, transforming, trusting claims  Configuration Required  Deploying Identity Provider, Connecting it to SharePoint, Configuring Trust, Sign-in, Claims Rules
  19. 19. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Enabling Claims Based Authorization  High Level Steps 1. Create the SharePoint 2013 Web Application 2. Install and Configure an STS Server (Secure Token Server) • Ex. Deploy ADFS, Domain Joined Server (possibly a farm) 3. Configure STS with the SharePoint web application as a Relying Party • Configuration within ADFS 4. Configure SharePoint 2013 to trust STS as an Identity Provider • Import ADFS Token Signing Certificate into IIS on SharePoint • Use PowerShell to configure ADFS as Trusted Provider 5. Configure SharePoint Web Application to use Claims Based Authentication and STS as the Trusted Identity Provider • Within Central Admin
  20. 20. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Relying Party (RP) Trusted Identity Provider (IP) SharePoint 2013 Client System Ex. web browser Secure Token Server (STS) EX. Active Directory Federation Services (ADFS) Identity Store, Attribute Store, (AD, Database or Directory) 3. Authenticate User, Get info (claims) about user Token with Claims Format: SAML/WS-Fed 4. Authenticated user, attributes retrieved & STS creates token 1. Sign In Page 5. User is authenticated and SharePoint 2010 now has user’s claims & knows it can trust them Claims Based Auth’n/Auth’r Architecture 2. Requests authentication (thru username/password) and a token Browser Redirect
  21. 21. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Relying Party (RP) Trusted Identity Provider (IP) SharePoint 2013 Client System Ex. web browser Secure Token Server (STS) EX. Active Directory Federation Services (ADFS) Identity Store, Attribute Store, (AD, Database or Directory) 3. Authenticate User, Get info (claims) about user Token with Claims Format: SAML/WS-Fed 4. Authenticated user, attributes retrieved & STS creates token 1. Sign In Page 5. User is authenticated and SharePoint 2010 now has user’s claims & knows it can trust them Customizing Claims Authentication Process 2. Requests authentication (thru username/password) and a token Browser Redirect Custom Claim Provider Custom Claim Provider … Claim Rule Claim Rule … SQL DB, LDAP, PKI etc… iAttributeStore …
  22. 22. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • Select a Standards-based Identity Provider (SAML) – Active Directory Federation Services 2.0 or later • Supports full SAML 1.1 and 2.0 Tokens and Protocol • Supports WS-Federation Tokens and Protocol • SharePoint 2010/2013 use SAML 1.1 tokens and SAML 2.0 protocol • Must authenticate against Active Directory – Ping Federate (Commercial) – Thinktecture (Open Source) Trusted Identity Providers Trusted Identity Provider (IP) Secure Token Server (STS) EX. Active Directory Federation Services (ADFS) Identity Store, Attribute Store, (AD, Database or Directory) 3. Authenticate User, Get info (claims) about user Token with Claims Format: SAML/WS-Fed 4. Authenticated user, attributes retrieved & STS creates token
  23. 23. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Augmenting Claims - Custom Claim Providers • Used to Augment User Claims and Customize People Picker • SharePoint farm level feature • Can deploy more than one • Called after user is authenticated …and after Trusted Identity Provider has already returned claims – Built on top of WIF (Windows Identity Framework) – Used to augment claims or transform claims – Used to customize the People Picker (ex. resolving claims through user search)
  24. 24. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Custom Claim Provider Deployment • Deployed as a Farm Level Feature Receiver – requires more code – Must inherit from SPClaimProviderFeatureReceiver (lots of examples) • Can deploy multiple claim providers – Called in order of deployment • Once deployed - Available in every web app, in very zone – Can cause performance issues – When user logs in, all Custom Claim Providers deployed get called • Set IsUsedByDefault property in Feature Receiver Def'n to False • Turn it on manually for required web apps
  25. 25. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Common Customer Needs • How do I secure access to sensitive information just to certain people and only under certain conditions? – (More) Fine Grained Access Control – Sensitive content sitting beside non-sensitive content • I have compliance requirements about who can access certain types of data and when – How do I enforce that without stopping business?
  26. 26. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What Types of Claims are Useful? • Military, Intelligence, Government Defense – Security Clearance, Caveats, Communities of Interest – Need to Know • Commercial – Department, Team or Role – Current Date/Time, Current Device (BYOD) – Group Membership with multiple groups – Partner ID or Business ID (in partner extranet scenarios) • Aerospace/Defense Contracting – Nationality + Current Location • Homeland Security – Agency (law enforcement, emergency response, public health…) – Scope or Level (local, state, federal), Current Threat Level
  27. 27. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Intelligence Military Examples Classification Caveats Need to Know Security Clearance Caveats Groups Has All Has All Has Minimum Classification Topics Restrictions Communities Security Clearance Topics Restrictions Communities Has Minimum Has Any Not Have Any Has All
  28. 28. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Commercial Example • Claim: Employee Status • Document Metadata: Classification (HBI, MBI, LBI) If employee.status = FTE and document.classification = HBI Then permit access to document If employee.status = Contract and document.classification = HBI Then deny access to document
  29. 29. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Government Example • Claim: Client Case Numbers • Document Metadata: Document Case Number If document.case=X AND client.casenumbers includes X Then permit access to document If document.case=X AND client.casenumbers DOES NOT includes X Then deny access to document
  30. 30. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Summary • Claims Based Authentication/Authorization still a new topic for many people – Allows us to take our identities across network boundaries in a trusted and secure – Enabling our move to the cloud – required for Identity Federation • Claims Based Authentication is Default in SharePoint 2013 – Classic Mode is Deprecated (Still there in 2013 but will likely go away next version) • Claims are great tool for Enterprise-Grade Authentication and Authorization – Infrastructure and Planning Required to take advantage of it – Leading SharePoint deployments in businesses, government and military to more fine grained authorization
  31. 31. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • 7th Annual Conference • 6 SharePoint MVPs presenting • Full-Day Training Workshops pre and post conference • Separate tracks for Business Users, Technical Users & UX Professionals • Government, Association, Nonprofit & Group Discounts Available Get 15% off! Use: PRO15 when registering Learn More & Register at SharePointConference.org Dallas, TX October 20, 2014
  32. 32. Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP Thank You! Email: Antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2
  1. ¿Le ha llamado la atención una diapositiva en particular?

    Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

×