SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud

8,764 views
8,718 views

Published on

Presentation given at SharePoint Saturday Cincinnati October 27, 2012

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,764
On SlideShare
0
From Embeds
0
Number of Embeds
6,052
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • This is all admin/IT pro stuff…
  • Liam Cleary makes a good point about how anonymous access is one case where Authorization precedes Authentication.
  • Liam Cleary’s analogy of drivers licenses and vehicle registrations; police officers. HTTP 302 redirects. Can verify this with Fiddler.
  • Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
  • Can always go from Classic to Claims, can’t go back!!!
  • Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  • This is all admin/IT pro stuff…
  • Here is where the devs get to do cool stuff!
  • SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud

    1. 1.  Authentication vs. Authorization Claims Authentication in SharePoint 2010 Integrating Facebook from scratch  New SharePoint 2010 web application  Adding an Azure Access Control Service (ACS) Trusted Identity Provider (Facebook)  Going “beyond authentication” to surface Facebook data in SharePoint and vice versa
    2. 2.  How many of you are…  Developers?  System administrators?  IT professionals?  Others? Integrating SharePoint 2010 with an identity provider such as Facebook will present different challenges for each role
    3. 3.  Authentication (AuthN) is the process of validating a user’s identity  SharePoint never performs authentication If the login prompt keeps appearing, think authentication issue!  Unless it’s the dreaded loopback check!
    4. 4.  Authorization (AuthZ) is the process of determining the resources, features, etc. to which an authenticated user has access If you see “Access Denied” errors, think authorization issue!
    5. 5.  What is a claim?  A piece of information describing a user ▪ Name ▪ Email Address ▪ Role/Group membership ▪ Age ▪ Hire Date Whose claims do I trust, and which claims affect authorization decisions I make?
    6. 6.  Token  Serialized set of claims about an authenticated user, digitally signed by the token’s issuer Identity Provider (IP)  Validates user credentials Security Token Service (STS)  Builds, signs, and issues tokens containing claims Relying party (RP)  Applications that makes authorization decisions based on claims (SharePoint 2010)
    7. 7.  Decoupling of authentication logic from authorization and personalization logic  Applications no longer need to determine who the user is, they receive claims identifying the user  Great for developers who rarely want to work with identity! Provides a common way for applications to acquire the identity information they need about users
    8. 8. 1. “I’d like to access this protected resource.”2. “I don’t know who you are. Identity provider, authenticate him.”3. “My user ID is Danny and my password is BaCoNbAcOn!!1.”4. “Hi, Danny. Here is a token you can use containing attributes about you.”5. “I’d like to access this resource; hopefully it has the proof you need to authorize me!” SharePoint 2010
    9. 9.  Claims Based Authentication (Tokens)  Windows Authentication: NTLM/Kerberos, Basic  Forms-Based Authentication (ASP.NET Membership provider and Role manager)  Other Trusted Identity providers (like Facebook!) Classic Mode Authentication (“Old School”)  Windows Authentication (NTLM/Kerberos) only Both map authenticated users to SPUser objects (security principals)
    10. 10.  The single biggest decision of your life! Updated TechNet guidance:  “For new implementations of SharePoint Server 2010, you should consider we recommend claims-based authentication.” http://technet.microsoft.com/en-us/library/cc262350.aspx
    11. 11.  Allows users to choose how to authenticate when multiple providers are configured (Mixed Authentication) /_login/default.aspx Custom code opportunity  http://bit.ly/IR0eRR
    12. 12.  Code behind:IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;Page.DataBind(); http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
    13. 13. Demo #1
    14. 14.  Cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications Includes support for Windows Live ID, Google, Yahoo, and Facebook Also includes support for Active Directory Federation Services (AD FS) 2.0 Simple browser-based management portal $1.99/100k transactions (free until Nov. 30!)
    15. 15.  Three things must be done to add support for users to login to SharePoint via Facebook:1. Create a Facebook application  https://developers.facebook.com/apps2. Configure ACS for Facebook support  Permissions you will request from Facebook users  Relying Party application and Rule Group setup3. Configure ACS as a Trusted Identity Provider in SharePoint
    16. 16.  No! You can integrate external identity providers with SharePoint without ACS  You have no choice if you want to use identity providers not currently supported by ACS (such as LinkedIn or Twitter) You will need to write your own code to:  Ensure the user has logged in to the IP  Obtain claim information from the IP  Package and sign tokens (your own STS)
    17. 17. Demo #2
    18. 18.  Click “Create New App” Provide Display Name and Namespace Note App ID and App Secret values Provide Website URL to ACS
    19. 19. Demo #3
    20. 20.  From the ACS management portal, add a new Identity Provider
    21. 21.  Enter App ID and App Secret values from Facebook application you created earlier Enter a comma-delimited list of Application Permissions you want to request  https://developers.facebook.com/docs/reference/ api/permissions/ In our demo, we will request:  email,user_location,user_hometown,user_website,use r_work_history,publish_stream,user_birthday,friend s_birthday,user_education_history,user_photos,user _about_me
    22. 22.  Permissions you request will be displayed to the end user the first time they log in Request the minimum subset of permissions you need  Users are more likely to reject bigger requests
    23. 23.  Generate Rule Group  Named set of claim rules that define which identity claims are passed from identity providers to your relying party application SharePoint will still need to be configured to make use of these claims
    24. 24.  Configure Relying Party application Provide Name, Realm, and Return URL  Return URL: Realm + /_trust
    25. 25.  Choose SAML 1.1 token format Update Token lifetime to >600 seconds Select Identity providers and Rule groups
    26. 26.  Generate self-signed certificate  C:Program FilesMicrosoft Office Servers14.0Tools>MakeCert.exe -r -pe -n "CN=dannyjessee.accesscontrol.wind ows.net" -sky exchange -ss my (Self-signed, exportable, subject key type “exchange,” store in “personal” certificate store) Development only! Please use a legitimate certificate in production!
    27. 27.  Upload this certificate (.pfx format) as the Token Signing Certificate in ACS
    28. 28. Demo #4
    29. 29.  New-SPTrustedRootAuthority  Name, Certificate (self-signed .cer made earlier) New-SPClaimTypeMapping  IncomingClaimType  IncomingClaimTypeDisplayName  LocalClaimType (or SameAsIncoming) New-SPTrustedIdentityTokenIssuer  Name, Realm, ImportTrustCertificate  ClaimsMappings, SignInUrl, IdentifierClaim
    30. 30.  Running this PowerShell script will add “Facebook” to the list of Trusted Identity Providers Eligible to be added to Claims-based web applications in Central Administration
    31. 31.  Before Facebook users will be authorized to access anything, we must grant them an appropriate level of permissions Best to set a “Full Read” web application policy for users coming in from Facebook  In a public-facing scenario, you likely won’t know specific user identities to set more granular permissions  Not to mention the people picker issues!
    32. 32. Demo #5
    33. 33.  All claims whose OriginalIssuer is TrustedProvider:Facebook AccessToken is the key to all user data
    34. 34.  Make calls to the Facebook Graph API  https://developers.facebook.com/docs/referen ce/api/  Retrieve data about the user and his/her friends  Upload photos/videos, post status messages  Data returned from Facebook in JSON format  Requests to https://graph.facebook.com/... ▪ me/feed, me/friends, me/photos, me/videos
    35. 35. Demo #6
    36. 36.  Code snippets in these slides are not complete  Do not include proper error checking/handling  Do not show proper impersonation of System Account where necessary Please download the code  http://facebookwebparts.codeplex.com Examples use the Facebook C# SDK  http://csharpsdk.org
    37. 37.  Returned in a claim from Facebook  A new AccessToken is issued each login  Our key to all of the data about the logged in user  Required for all calls to the Facebook Graph API Two hour lifetime by default To leverage this token across the site, I store it in the SPWeb.AllProperties property bag  web.AllProperties[“fbAccessToken_{loginname}”]  AllProperties required for case sensitivity
    38. 38.  Change to Initial display name for the SPUser is based on the specified IdentifierClaim Make this friendlier – we know their name!if (SPContext.Current.Web.CurrentUser == null){ SPUser user = web.EnsureUser("i:" + claimsIdentity.Name); currentUser.Name = givenName; currentUser.Update();}
    39. 39. var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");JsonObject location = me["location"] as JsonObject;myLocation = (string)location["name"]; myLocation is in City, State format Parsed and sent to Weather Underground API  http://api.wunderground.com/api/[key]/ geolookup/conditions/forecast/q/[state]/ [city].json
    40. 40. var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");SPList lstContacts = web.Lists["Contacts"];SPListItem item = lstContacts.Items.Add();item["First Name"] = (string)me["first_name"];item["Last Name"] = (string)me["last_name"];JsonArray work = me["work"] as JsonArray;// Most recent/current employer stored in work[0]JsonObject company = work[0] as JsonObject;JsonObject employer = company["employer"] as JsonObject;JsonObject position = company["position"] as JsonObject;item["Company"] = (string)employer["name"];item["Job Title"] = (string)position["name"];item.SystemUpdate();
    41. 41. var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me/friends?fields=name,birthday");JsonArray friendData = me["data"] as JsonArray;foreach (JsonObject friend in friendData){ if (friend.ContainsKey("birthday")) { /* Some users share MM/DD of birthday, others share MM/DD/YYYY We only care about MM/DD for our purposes, and Facebook always pads with leading zeros */ string birthday = (string)friend["birthday"]; birthMonth = int.Parse(birthday.Substring(0, 2)); birthDate = int.Parse(birthday.Substring(3, 2)); ...
    42. 42. SPList lstCalendar = web.Lists["Calendar"];SPListItem birthdayItem = lstCalendar.Items.Add();birthdayItem["Title"] = name + (name.EndsWith("s") ? " birthday" :"s birthday");birthdayItem["EventDate"] = dtBirthday;birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;birthdayItem[SPBuiltInFieldId.EventType] = 1;birthdayItem[SPBuiltInFieldId.fRecurrence] = true;birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;string recurrence ="<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +"<repeat><yearly yearFrequency=1 month=" + birthMonth.ToString()+ " day=" + birthDate.ToString() + " /></repeat>" +"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";birthdayItem["RecurrenceData"] = recurrence;birthdayItem.SystemUpdate();
    43. 43. var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string,object> { { "title", "I know how to post videos toFacebook...from SharePoint!" }, { "description", "See more at SPS Cincinnati October27, 2012!" }, { "vid1", new FacebookMediaObject { ContentType ="video/x-flv", FileName = "facebook.flv"}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }};client.PostAsync("me/videos", dict);
    44. 44. var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string,object>();dict.Add("message", "Yay for Claims-Based Identity,Facebook, SharePoint, and Bacon!");dict.Add("link","http://sharepointsaturday.org/cincinnati");dict.Add("picture","http://www.sharepointsaturday.org/cincinnati/SiteImages/ScarePointSpookinnati.jpg");dict.Add("name", "SharePoint Saturday Cincinnati");dict.Add("caption", "October 27, 2012");dict.Add("description", "Come see my presentation aboutClaims-Based Identity in SharePoint 2010 at SPSCincinnati!");client.PostAsync("me/feed", dict);
    45. 45.  Ensure “Allow users to edit values for this property” flag is setSPServiceContext sc = SPServiceContext.GetContext(site);UserProfileManager userProfileMangager = new UserProfileManager(sc);UserProfile profile = userProfileMangager.GetUserProfile(true);profile[PropertyConstants.StatusNotes].Value = txtStatus.Text;profile.Commit();
    46. 46.  Silverlight application courtesy MossLover Interfaces with the user’s webcam, saves captured images to document library
    47. 47.  Added event handler to upload to Facebookstring contentType = "image/jpeg";var client = new Facebook.FacebookClient(fbAccessToken);Dictionary<string, object> dict = new Dictionary<string,object> { { "message", "Uploaded picture from Silverlight webcamimage capture in SharePoint!" }, { "pic1", new FacebookMediaObject { ContentType =contentType, FileName = properties.ListItem.File.Name}.SetValue(properties.ListItem.File.OpenBinary()) }};client.PostAsync("me/photos", dict);

    ×