Your SlideShare is downloading. ×
SharePoint Saturday Austin - Share point authentication and authorization
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SharePoint Saturday Austin - Share point authentication and authorization

605

Published on

SharePoint Saturday Austin - Share point authentication and authorization

SharePoint Saturday Austin - Share point authentication and authorization

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
605
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SharePointAuthenticationand Authorization Liam Cleary Solution Architect | SharePoint MVP
  • 2. • Please turn off all electronic devices or set them to vibrate. • If you must take a phone call, please do so in the hall so as not to disturb others. • Open wireless access is available with no password • Feel free to “tweet and blog” during the session • Thanks to our Title Sponsors: Thank you for being a part of the first SharePoint Saturday Austin
  • 3. About Me • Solution Architect @ SusQtech (Winchester, VA) • SharePoint MVP since 2007 • Working with SharePoint since 2002 • Worked on all kinds of projects • Internet • Intranet • Extranet • Anything SharePoint Really • Involved in Architecture, Deployment, Customization and Development of SharePoint
  • 4. You can teach a student a lesson for a day; but if you can teach him / her to learn by creating curiosity, they will continue the learning process as long as they live. Clay P. Bedford
  • 5. I am hoping for a different kind of Curiosity today 
  • 6. Agenda • Security in General • Security with SharePoint • Authentication • Authorization • Authentication vs. Authorization • Claims Authentication / Authorization • Options Available • Membership & Role Providers • Identity Provider • Cloud Based Services • Art of Authorization • Things to Remember
  • 7. Security in General Dictionary Definition: • Freedom from danger, risk, etc.; safety. • Freedom from care, anxiety, or doubt; well-founded confidence. • Something that secures or makes safe; protection; defense. • Freedom from financial cares or from want: The insurance policy gave the family security. • Precautions taken to guard against crime, attack, sabotage, espionage
  • 8. Security with SharePoint • Isn't this an oxymoron? Just kidding!!
  • 9. Security with SharePoint How does security come into play with SharePoint? • Same questions as the previous security • How, Who, When and often Why • Content specific security • Role based as well is individual security • Collaboration security • Cross Team • Cross Organizational • Cross Company • Specific permission sets for types of access and functionality
  • 10. Authentication – What is? Dictionary Definition: • To establish as genuine. • To establish the authorship or origin of conclusively or unquestionably, chiefly by the techniques of scholarship: to authenticate a painting. • To make authoritative or valid.
  • 11. Authentication – Types of? • Windows • NTLM • Kerberos • Basic • Anonymous • Digest • Forms-based Authentication • Lightweight Directory Access Protocol (LDAP) • Microsoft SQL Server • ASP.NET Membership and Role Providers • SAML Token-based Authentication • Active Directory Federated Services • 3rd Party Identity Provider • Lightweight Directory Access Protocol (LDAP)
  • 12. Authorization – What is? Dictionary Definition: • The act of authorizing. • Permission or power granted by an authority; sanction. • To give authority or official power to; • To give authority for; formally sanction (an act or proceeding): • To establish by authority or usage:
  • 13. Authentication vs. Authorization • Misunderstood Terminology • Users, IT and Developers • Authentication = Verification of Claim (I am Liam) • Authorization = Verification of Permission (Liam has access to) • Authentication Precedes Authorization • Correct ID shown to Bank Teller • You are Asking to be Authenticated on the Account • Once accepted you become Authorized on the Account • Exception to the rule • Anonymous Access can leave comments on Blog site • Anonymous users are already Authorized but not Authenticated • Too often we focus on Authentication and not Authorization • We expect our users, clients etc. to just inherently know what they are to do • We often forget that Authentication can be broken, but Authorization is slightly more complicated
  • 14. Authentication – Claims SharePoint 2010 Introduced Claims Authentication
  • 15. Authentication – Claims Why introduce Claims Authentication? • Wide Support • Standards Based • WS-Federation 1.1 • WS-Trust 1.4 • SAML Token 1.1 AuthN • Single Sign On • Federation • Already many providers, Live, Google, Facebook etc • Microsoft standard approach • Fed up custom coding everything, every time • Gets round (some) Office Integration problems • Easy to configure with little effort • Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider
  • 16. Authentication – Claim Terminology • Identity • Info about a Person or Object (AD, Google, Windows Live, Facebook etc.) • Claim • Attributes of the Identity (User ID, Email, Age etc.) • Token • Binary Representation of Identity • Set of Claims and the Signature • Relying Party (aka RP) • Users Token • Secure Token Service (STS) • Issuer of Tokens for Users
  • 17. Authentication – Sign In Process 1. Resource Requested 2. AuthN Request / Redirect 3. AuthN Request 4. Security Token 5. Security Token Request 6. Service Token 7. Resource Request w/Service Token 8. Resource Sent Identity Provider Security Token Service aka IP-STS SharePoint 2010 aka RP
  • 18. DEMO Sign-In Process with Identity Provider
  • 19. Authentication–Membership&RoleProviders • Classic .NET approach • Support Local Authentication Store • Support Remote Authentication Stores • Web Services, Remote Database Calls • No inherent Single Sign On • Custom Code to Achieve this, namely cookie based • Full support for base .NET Providers • Membership Provider – User Accounts and Authentication • Role Provider – Equivalent of Groups, Authorization Element • Specific Configuration needed for each Web Application • Central Administration • Secure Token Service • Web Application • Extensive “web.config” entries needed • Custom Components in SharePoint will needed • Welcome Control, Login Control etc.
  • 20. Authentication– CustomIdentityProvider • No need for Membership and Role Provider • Can still be used – NOTE: Membership User Approach • Single Sign Built in – Web Application needs to be set to require Authentication not Anonymous • Central Managed and Entry point for all Authentication • Support Local Authentication Store • Support Remote Authentication Stores • Web Services, Remote Database Calls • Utilizes Windows Identity Framework • Can use .NET 3.5 / 4.0 • PowerShell configuration to implement • Requires Trusted Certificate for Communication • Custom Components in SharePoint will needed • Welcome Control, Login Control etc.
  • 21. Authentication - Azure Control Service • Microsoft ADFS Type Cloud Based Service • Central Point for offloading Authentication • Supports SAML 1.1 / SAML 2.0 • Support • Facebook • Google • Windows Live ID • Yahoo • Custom IDP • Integrate with Custom Identity Provider • Open ID type authentication • Support for 3rd Party Integration • Claim Mapping through configuration
  • 22. DEMO Create Identity Provider
  • 23. Authentication – Identity Provider • Deployment into separate Web Site • https://sts.company.com • Use SSL for all communication • Ensure SharePoint 2010 trusts the certificate being used by the Provider • Methods of override: • Authenticate User • GetClaimTypeForRole • GetOutputClaimsIdentity • Create User Class – methods to get values from backend into claims • Create Claim Types class • Create custom login methods and validation
  • 24. Authorization • SharePoint does this after Authentication • Is user member of group? • Is user account added to ACL of object? • Does user have required attribute? • SharePoint only understands what it is told • e.g. Just because user logged in at? Does not authorize • Best Approach to Authorize • Active Directory Groups • Roles from Membership and Role Provider • Claims associated to user • Don’t just add users to groups or individually – can cause issues • SharePoint default “DENY”
  • 25. SharePoint Authorization Anonymous Authentication Is In Site Group? Does user have claim attribute? Web Application / Site Collection Secured Site / Site Collection / Content Content Repository Content
  • 26. ExpectedtheUnexpected
  • 27. Security – Real World • Expect the unexpected • People will find a way to circumvent your security • Give users minimal permission • Starting with Less is good • Add functionality through permission as needed • Be prepared to secure at all levels • Web Application • Site Collection • Site • List or Library • Item • Use roles from Provider • Active Directory Groups • Membership and Role Provider Roles • Claims
  • 28. Thank You • Personal Email: liamcleary@msn.com • Work: http://www.susqtech.com • Twitter: @helloitsliam • Blog: www.helloitsliam.com
  • 29. Thanks to our Sponsors

×