AUTHENTICATION, AUTHORIZ
ATION AND IDENTITY…
IT’S MORE THAN MEETS THE EYE
Scott Hoag and Dan Usher
PRINCETON SHAREPOINT USER GROUP
• Different SharePoint discussions each
month on various topics. Announced on
meetup.com
•...
THANK YOU
EVENT
SPONSORS
• Platinum & Gold sponsors
have tables here in the
Fireside Lounge
• Please visit them and
inquir...
WHO ARE WE?
Scott Hoag
@ciphertxt
Applied Information Sciences
Infrastructure Consultant
scott.hoag@appliedis.com
• Dan Us...
HOUSEKEEPING
• Phones silenced, phasers set to stun
• Ask questions
• Please remember to turn in your filled out bingo car...
THINGS TO COVER
THINGS WE WON’T BE COVERING
http://go.spdan.com/kerberos2010
http://go.spdan.com/kerberos2013
http://go.spdan.com/multihop...
SECURITY
SPOILER ALERT!!!
http://xkcd.com/1240/
SECURITY IN GENERAL
SECURITY IN GENERAL
SECURITY CONCERNS IN TODAY’S WORLD
IDENTIFICATION – WHAT IS?
IDENTIFICATION – TYPES OF…
HOW DO WE PROTECT IDENTITY?
AUTHENTICATION – WHAT IS?
AUTHORIZATION – WHAT IS?
• The act of authorizing.
• Permission or power granted by an authority; sanction.
• To give auth...
SECURITY WITH SHAREPOINT
SECURITY WITH SHAREPOINT
AUTHN – TYPES OF…
• Windows
• NTLM/Kerberos
• Basic
• Anonymous
• Digest
• Client Certificate
• Forms-based Authentication...
AUTHN – STILL MORE TYPES OF…
• SAML Token-based Authentication
• Active Directory Federated Services
• 3rd Party Identity ...
AUTHENTICATION VS. AUTHORIZATION
AUTHN VS. AUTHZ (CONTINUED)
AUTHENTICATION – CLAIM TERMINOLOGY
• Identity
• Info about a Person or Object
(AD, Google, Windows Live, Facebook
etc.)
• ...
AUTHENTICATION - CLAIMS
AUTHENTICATION - CLAIMS
WHAT ABOUT CLAIMS IN WINDOWS?
WHAT DOES CLAIMS ENCODING LOOK LIKE?
http://go.spdan.com/claimsencoding
WHAT DOES CLAIMS ENCODING LOOK LIKE?
http://go.spdan.com/claimsencoding
BASICS OF SHAREPOINT CLASSIC AUTHN
Source:http://go.spdan.com/iisauth
ASP.NETAuthentication
BASICS OF SHAREPOINT CLAIMS AUTHN
1. Resource Requested
2. AuthN Request / Redirect
3. AuthN Request
4. Security Token
5. ...
SIDE STORY
A SHAREPOINT CONSULTANTS ENTER A BAR…
AUTHN - MEMBERSHIP & ROLE PROVIDERS
AUTHN - MEMBERSHIP & ROLE PROVIDERS
AUTHN – CUSTOM IDENTITY PROVIDER
AUTHN – CUSTOM IDENTITY PROVIDER
AUTHN - PROXY SERVER
AUTHN - DIRECT ACCESS
WINDOWS AZURE ACTIVE DIRECTORY
WINDOWS AZURE ACTIVE DIRECTORY
IDENTITY PROVIDERS
https://sts.domain.com
AUTHZ
SHAREPOINT AUTHZ
Anonymous
Authentication
Is In Site Group?
Does user have claim attribute?
Web Application / Site Collect...
AUTHZ - LIMITING ACCESS CONTROL
AUTHZ - OFFICE 365 AND EXTERNAL USERS
AUTHZ - OFFICE 365 AND EXTERNAL USERS
EXPECT THE UNEXPECTED
REAL WORLD
WHAT DO I DO WHERE?
SECURITY IN THE REAL WORLD
• Expect the unexpected
• People will find a way to circumvent your
security
• Give users minim...
QUESTIONS
CATCH UP WITH US…
Usher_Daniel@bah.com
@binarybrewery
www.sharepointdan.com
Scott.hoag@appliedis.com
@ciphertxt
http://psc...
THANK YOU
EVENT
SPONSORS
• Platinum & Gold sponsors
have tables here in the
Fireside Lounge
• Please visit them and
inquir...
Authentication, Authorization, and Identity – More than meets the eye…
Authentication, Authorization, and Identity – More than meets the eye…
Authentication, Authorization, and Identity – More than meets the eye…
Upcoming SlideShare
Loading in...5
×

Authentication, Authorization, and Identity – More than meets the eye…

1,150

Published on

In today’s complex market place of corporate partnerships and relationships, sharing information is pertinent to ensuring that business operations are conducted in a secure computing environment with trusted entities being provided access to protected information.

In this session, Dan and Scott will discuss the basics of authentication and authorization in relation to the SharePoint platform. Further, we will be discussing the technical underpinnings of the SharePoint platform’s processing of a user’s identity dependent on identity provider and authorization settings.

As a part of this session we will demonstrate different authentication and authorization configurations that are common place in today’s business settings to include when to use:
* Integrated Windows Authentication
* Forms Based Authentication using SQL Server
* ADFS as a Trusted Identity Provider
* Threat Management Gateway with Kerberos Constrained Delegation using client certs

After attending this session, attendees will have a better grasp of the configuration complexities involved with each scenario as well as the user experience impacts based on the path taken.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,150
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Dan
  • Dan
  • Dan/Scott
  • Scott
  • Scott
  • Scott
  • Dan
  • Scott
  • Dan
  • Dan
  • Scott
  • Scott
  • Danger Waterfall ahead
  • Scott----- Meeting Notes (7/23/12 23:35) -----Thinking about administrators for SharePoint - what access do they have?
  • Dan
  • Dan
  • Dan
  • Dan
  • Dan/Scott
  • ScottStandards based: Wide SupportEasy to configure? Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider
  • Scott
  • Dan
  • Scott
  • Scott
  • Dan
  • Dan
  • Dan/Scott
  • Dan
  • Scott
  • Scott
  • Scott
  • Scott
  • Dan
  • Dan
  • DanCurious how to manage Windows Azure Active Directory through PowerShell? http://technet.microsoft.com/en-us/library/jj151815.aspx
  • DanCurious how to manage Windows Azure Active Directory through PowerShell? http://technet.microsoft.com/en-us/library/jj151815.aspx
  • Scott
  • Scott
  • ScottDifferent security boundaries and the permissions that can be applied to them.
  • Dan
  • Dan
  • Dan
  • Scott
  • Dan
  • Scott
  • Authentication, Authorization, and Identity – More than meets the eye…

    1. 1. AUTHENTICATION, AUTHORIZ ATION AND IDENTITY… IT’S MORE THAN MEETS THE EYE Scott Hoag and Dan Usher
    2. 2. PRINCETON SHAREPOINT USER GROUP • Different SharePoint discussions each month on various topics. Announced on meetup.com • Meets 4th Wednesday of every month • 6pm – 8pm • Infragistics Office • 2 Commerce Drive, Cranbury, NJ • http://www.meetup.com/princetonSUG • http://www.princetonsug.com
    3. 3. THANK YOU EVENT SPONSORS • Platinum & Gold sponsors have tables here in the Fireside Lounge • Please visit them and inquire about their products & services • To be eligible for prizes make sure your bingo card is signed by all Platinum/Gold
    4. 4. WHO ARE WE? Scott Hoag @ciphertxt Applied Information Sciences Infrastructure Consultant scott.hoag@appliedis.com • Dan Usher • @binarybrewery • Booz Allen Hamilton Incorporated • Lead Associate • usher_daniel@bah.com
    5. 5. HOUSEKEEPING • Phones silenced, phasers set to stun • Ask questions • Please remember to turn in your filled out bingo cards and event evaluations for prizes. • Follow SharePoint Saturday New Jersey on Twitter @spsnj and hashtag #spsnj • Do not feed Scott donuts…
    6. 6. THINGS TO COVER
    7. 7. THINGS WE WON’T BE COVERING http://go.spdan.com/kerberos2010 http://go.spdan.com/kerberos2013 http://go.spdan.com/multihopwinrm
    8. 8. SECURITY
    9. 9. SPOILER ALERT!!! http://xkcd.com/1240/
    10. 10. SECURITY IN GENERAL
    11. 11. SECURITY IN GENERAL
    12. 12. SECURITY CONCERNS IN TODAY’S WORLD
    13. 13. IDENTIFICATION – WHAT IS?
    14. 14. IDENTIFICATION – TYPES OF…
    15. 15. HOW DO WE PROTECT IDENTITY?
    16. 16. AUTHENTICATION – WHAT IS?
    17. 17. AUTHORIZATION – WHAT IS? • The act of authorizing. • Permission or power granted by an authority; sanction. • To give authority or official power to. • To give authority for; formally sanction (an act or proceeding). • To establish by authority or usage. • Sometimes we call it AuthZ.
    18. 18. SECURITY WITH SHAREPOINT
    19. 19. SECURITY WITH SHAREPOINT
    20. 20. AUTHN – TYPES OF… • Windows • NTLM/Kerberos • Basic • Anonymous • Digest • Client Certificate • Forms-based Authentication • Lightweight Directory Access Protocol (LDAP) • Microsoft SQL Server • ASP.NET Membership and Role Providers
    21. 21. AUTHN – STILL MORE TYPES OF… • SAML Token-based Authentication • Active Directory Federated Services • 3rd Party Identity Provider • Lightweight Directory Access Protocol (LDAP)
    22. 22. AUTHENTICATION VS. AUTHORIZATION
    23. 23. AUTHN VS. AUTHZ (CONTINUED)
    24. 24. AUTHENTICATION – CLAIM TERMINOLOGY • Identity • Info about a Person or Object (AD, Google, Windows Live, Facebook etc.) • Claim • Attributes of the Identity (User ID, Email, Age etc.) • Token • Binary Representation of Identity • Set of Claims and the Signature • Relying Party (aka RP) • Users Token • Secure Token Service (STS) • Issuer of Tokens for Users • SharePoint 2010 Introduced Claims Authentication • What is this? http://go.spdan.com/cba
    25. 25. AUTHENTICATION - CLAIMS
    26. 26. AUTHENTICATION - CLAIMS
    27. 27. WHAT ABOUT CLAIMS IN WINDOWS?
    28. 28. WHAT DOES CLAIMS ENCODING LOOK LIKE? http://go.spdan.com/claimsencoding
    29. 29. WHAT DOES CLAIMS ENCODING LOOK LIKE? http://go.spdan.com/claimsencoding
    30. 30. BASICS OF SHAREPOINT CLASSIC AUTHN Source:http://go.spdan.com/iisauth ASP.NETAuthentication
    31. 31. BASICS OF SHAREPOINT CLAIMS AUTHN 1. Resource Requested 2. AuthN Request / Redirect 3. AuthN Request 4. Security Token 5. Security Token Request 6. Service Token 7. Resource Request w/Service Token 8. Resource Sent Identity Provider Security Token Service aka IP-STS SharePoint 2010 aka RP
    32. 32. SIDE STORY
    33. 33. A SHAREPOINT CONSULTANTS ENTER A BAR…
    34. 34. AUTHN - MEMBERSHIP & ROLE PROVIDERS
    35. 35. AUTHN - MEMBERSHIP & ROLE PROVIDERS
    36. 36. AUTHN – CUSTOM IDENTITY PROVIDER
    37. 37. AUTHN – CUSTOM IDENTITY PROVIDER
    38. 38. AUTHN - PROXY SERVER
    39. 39. AUTHN - DIRECT ACCESS
    40. 40. WINDOWS AZURE ACTIVE DIRECTORY
    41. 41. WINDOWS AZURE ACTIVE DIRECTORY
    42. 42. IDENTITY PROVIDERS https://sts.domain.com
    43. 43. AUTHZ
    44. 44. SHAREPOINT AUTHZ Anonymous Authentication Is In Site Group? Does user have claim attribute? Web Application / Site Collection Secured Site / Site Collection / Content Content Repository Content
    45. 45. AUTHZ - LIMITING ACCESS CONTROL
    46. 46. AUTHZ - OFFICE 365 AND EXTERNAL USERS
    47. 47. AUTHZ - OFFICE 365 AND EXTERNAL USERS
    48. 48. EXPECT THE UNEXPECTED
    49. 49. REAL WORLD
    50. 50. WHAT DO I DO WHERE?
    51. 51. SECURITY IN THE REAL WORLD • Expect the unexpected • People will find a way to circumvent your security • Give users minimal permission • Starting with Less is good • Add functionality through permission as needed • Be prepared to secure at all levels • Web Application • Site Collection • Site • List or Library • Item • Use roles from Provider • Active Directory Groups • Membership and Role Provider Roles • Claims
    52. 52. QUESTIONS
    53. 53. CATCH UP WITH US… Usher_Daniel@bah.com @binarybrewery www.sharepointdan.com Scott.hoag@appliedis.com @ciphertxt http://psconfig.com
    54. 54. THANK YOU EVENT SPONSORS • Platinum & Gold sponsors have tables here in the Fireside Lounge • Please visit them and inquire about their products & services • To be eligible for prizes make sure your bingo card is signed by all Platinum/Gold

    ×