Are you who you say you are?SharePoint Authentication and AuthorizationLiam ClearySolution Architect | SharePoint MVP
My Name is Steve,   Honest 
About Me•   Solution Architect @ SusQtech (Winchester, VA)•   SharePoint MVP since 2007•   Working with SharePoint since 2...
You can teach a student a lesson fora day; but if you can teach him / herto learn by creating curiosity, theywill continue...
I am hoping for a different kind of Curiosity today 
Agenda•   Security in General•   Security with SharePoint•   Authentication•   Authorization•   Authentication vs. Authori...
Security in GeneralDictionary Definition:• Freedom from danger, risk, etc.; safety.• Freedom from care, anxiety, or doubt;...
Security with SharePoint• Isnt this an oxymoron? Just kidding!!
Security with SharePointHow does security come into play with SharePoint?• Same questions as the previous security  • How,...
Authentication – What is?Dictionary Definition:• To establish as genuine.• To establish the authorship or origin of conclu...
Authentication – Types of?• Windows  •   NTLM  •   Kerberos  •   Basic  •   Anonymous  •   Digest• Forms-based Authenticat...
Authorization – What is?Dictionary Definition:• The act of authorizing.• Permission or power granted by an authority; sanc...
Authentication vs. Authorization• Misunderstood Terminology  • Users, IT and Developers• Authentication = Verification of ...
Authentication – ClaimsSharePoint 2010 Introduced Claims Authentication
Authentication – ClaimsWhy introduce Claims Authentication?  • Wide Support  • Standards Based       • WS-Federation 1.1  ...
Authentication – Claim Terminology• Identity  • Info about a Person or Object (AD, Google, Windows Live,    Facebook etc.)...
Authentication – Sign In Process       Identity Provider                  SharePoint 2010     Security Token Service      ...
Sign-In Process with Identity ProviderDEMO
Authentication – Identity Provider•   No need for Membership and Role Provider•   Single Sign Built in•   Central Managed ...
Create Identity ProviderDEMO
Authentication – Identity Provider• Deployment into separate Web Site  • https://sts.company.com• Use SSL for all communic...
Security – Real World• Expect the unexpected• People will find a way to circumvent your security• Give users minimal permi...
Security – Real World
Authentication – Real WorldRequirements• Multiple Web Sites  • 100s of 1000s of Users  • No Active Directory  • Custom Ass...
Thank You•   Personal Email: liamcleary@msn.com•   Work: http://www.susqtech.com•   Twitter: @helloitsliam•   Blog: www.he...
SharePoint Saturday The Conference DC - Are you who you say you are share point authentication and authorization
SharePoint Saturday The Conference DC - Are you who you say you are share point authentication and authorization
Upcoming SlideShare
Loading in …5
×

SharePoint Saturday The Conference DC - Are you who you say you are share point authentication and authorization

668 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
668
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SharePoint Saturday The Conference DC - Are you who you say you are share point authentication and authorization

  1. 1. Are you who you say you are?SharePoint Authentication and AuthorizationLiam ClearySolution Architect | SharePoint MVP
  2. 2. My Name is Steve, Honest 
  3. 3. About Me• Solution Architect @ SusQtech (Winchester, VA)• SharePoint MVP since 2007• Working with SharePoint since 2002• Worked on all kinds of projects • Internet • Intranet • Extranet • Anything SharePoint Really• Involved in Architecture, Deployment, Customization and Development of SharePoint
  4. 4. You can teach a student a lesson fora day; but if you can teach him / herto learn by creating curiosity, theywill continue the learning processas long as they live.Clay P. Bedford
  5. 5. I am hoping for a different kind of Curiosity today 
  6. 6. Agenda• Security in General• Security with SharePoint• Authentication• Authorization• Authentication vs. Authorization• Claims Authentication / Authorization• Real world approach
  7. 7. Security in GeneralDictionary Definition:• Freedom from danger, risk, etc.; safety.• Freedom from care, anxiety, or doubt; well-founded confidence.• Something that secures or makes safe; protection; defense.• Freedom from financial cares or from want: The insurance policy gave the family security.• Precautions taken to guard against crime, attack, sabotage, espionage
  8. 8. Security with SharePoint• Isnt this an oxymoron? Just kidding!!
  9. 9. Security with SharePointHow does security come into play with SharePoint?• Same questions as the previous security • How, Who, When and often Why• Content specific security• Role based as well is individual security• Collaboration security • Cross Team • Cross Organizational • Cross Company• Specific permission sets for types of access and functionality
  10. 10. Authentication – What is?Dictionary Definition:• To establish as genuine.• To establish the authorship or origin of conclusively or unquestionably, chiefly by the techniques of scholarship: to authenticate a painting.• To make authoritative or valid.
  11. 11. Authentication – Types of?• Windows • NTLM • Kerberos • Basic • Anonymous • Digest• Forms-based Authentication • Lightweight Directory Access Protocol (LDAP) • Microsoft SQL Server • ASP.NET Membership and Role Providers• SAML Token-based Authentication • Active Directory Federated Services • 3rd Party Identity Provider • Lightweight Directory Access Protocol (LDAP)
  12. 12. Authorization – What is?Dictionary Definition:• The act of authorizing.• Permission or power granted by an authority; sanction.• To give authority or official power to;• To give authority for; formally sanction (an act or proceeding):• To establish by authority or usage:
  13. 13. Authentication vs. Authorization• Misunderstood Terminology • Users, IT and Developers• Authentication = Verification of Claim (I am Liam)• Authorization = Verification of Permission (Liam has access to)• Authentication Precedes Authorization • Correct ID shown to Bank Teller • You are Asking to be Authenticated on the Account • Once accepted you become Authorized on the Account• Exception to the rule • Anonymous Access can leave comments on Blog site • Anonymous users are already Authorized but not Authenticated• Too often we focus on Authentication and not Authorization• We expect our users, clients etc. to just inherently know what they are to do• We often forget that Authentication can be broken, but Authorization is slightly more complicated
  14. 14. Authentication – ClaimsSharePoint 2010 Introduced Claims Authentication
  15. 15. Authentication – ClaimsWhy introduce Claims Authentication? • Wide Support • Standards Based • WS-Federation 1.1 • WS-Trust 1.4 • SAML Token 1.1 AuthN • Single Sign On • Federation • Already many providers, Live, Google, Facebook etc • Microsoft standard approach • Fed up custom coding everything, every time • Gets round (some) Office Integration problems • Easy to configure with little effort • Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider
  16. 16. Authentication – Claim Terminology• Identity • Info about a Person or Object (AD, Google, Windows Live, Facebook etc.)• Claim • Attributes of the Identity (User ID, Email, Age etc.)• Token • Binary Representation of Identity • Set of Claims and the Signature• Relying Party (aka RP) • Users Token• Secure Token Service (STS) • Issuer of Tokens for Users
  17. 17. Authentication – Sign In Process Identity Provider SharePoint 2010 Security Token Service aka RP aka IP-STS1. Resource Requested2. AuthN Request / Redirect3. AuthN Request4. Security Token5. Security Token Request6. Service Token7. Resource Request w/Service Token8. Resource Sent
  18. 18. Sign-In Process with Identity ProviderDEMO
  19. 19. Authentication – Identity Provider• No need for Membership and Role Provider• Single Sign Built in• Central Managed and Entry point for all Authentication• Utilizes Windows Identity FrameworkHow to build an Identity Provider• Create new ASP.NET Security Token Web Service Web Site• Configure Certificate Settings and Name in <AppSettings> • Check Issuer Name within Certificates MMC• Create new Claims-aware ASP.NET Web Site (testing) • Add STS Reference to Claims-aware ASP.NET Web Site • Set Claims• Test• Real World will need code changes: • Connect to authentication system • Modify Claims • Authentication Logic
  20. 20. Create Identity ProviderDEMO
  21. 21. Authentication – Identity Provider• Deployment into separate Web Site • https://sts.company.com• Use SSL for all communication• Ensure SharePoint 2010 trusts the certificate being used by the Provider• Methods of override: • Authenticate User • GetClaimTypeForRole • GetOutputClaimsIdentity• Create User Class – methods to get values from backend into claims• Create Claim Types class• Create custom login methods and validation
  22. 22. Security – Real World• Expect the unexpected• People will find a way to circumvent your security• Give users minimal permission • Starting with Less is good • Add functionality through permission as needed• Be prepared to secure at all levels • Web Application • Site Collection • Site • List or Library • Item• Use roles from Provider • Active Directory Groups • Membership and Role Provider Roles • Claims
  23. 23. Security – Real World
  24. 24. Authentication – Real WorldRequirements• Multiple Web Sites • 100s of 1000s of Users • No Active Directory • Custom Association Management System for Subscribed Users• Single User Profiles • Single Entry for Profile Update etc.• External Authentication for SSO • Token based Authentication Service for Vendors if needed• Cross Web Application Authentication (internal SSO)• Use Identity Normalization
  25. 25. Thank You• Personal Email: liamcleary@msn.com• Work: http://www.susqtech.com• Twitter: @helloitsliam• Blog: www.helloitsliam.com• Session: Fri-S4A-104• Room: CN 117

×