Your SlideShare is downloading. ×
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Claim Based Authentication in SharePoint 2010 for Community Day 2011

11,200

Published on

Published in: Technology, Economy & Finance
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
11,200
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
274
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Identities are basically pieces of information about a person or an object, for example, a user. When an identity traverses the network it is represented by an array of bytes that is referred to as a token.In claims-based identity scenarios, the array of bytes carries claims about the person or object.
  • In claims-based identity scenarios a token carries pieces of information about the user (claim) in addition to a digital signature that is applied (the token digitally signed) by the issuer. The signature is used to verify the source and protect the token from unauthorized changes. A claim can be a variety of information, such as the user’s name, age, and location are all claims within the token as an example.
  • Tokens are issued by Security Token Service (STS) software in response to an authentication request by the user through the browser which results in a token request. The request is authenticated through a number of scenarios, such as a Kerberos ticket or with the user providing a username and password. The request is made on behalf of the user by the browser which asks the Security Token Service for a token containing claims for the user. [This request uses the standard WS-Trust protocol].The Security Token Service will request information about the user from the attribute store and return it to the Security Token Service where the token is issued and returned to the browser.In SharePoint Server 2010 the Windows Identity Foundation is the fundamental component behind the native Security Token Service which is a set of .NET Framework classes that implement essential identity functions to include receipt of tokens, digital signature verification, and accessing token claims – in addition Windows Identity Foundation is the foundation for ADFS 2.0. The Windows Identity Foundation also enables developers to write their own Security Token Services.SharePoint acts as an Identity Provider (Windows and FBA). The SharePoint STS is an implementation of WS-Trust
  • Both SharePoint Foundation and SharePoint Server 2010 move to the claim based security model. SharePoint 2007 authentication model is now considered legacy (classic mode)
  • Using Microsoft.IdentityModel.Claims
  • In a claim-based identity scenario you will become familiar with seeing an encoded Id preceding usernames. This slide is intended to help you understand what the values in the encoded Id represent.
  • In SharePoint Server 2010 two modes of authentication are provided, Classic Mode and Claims Mode Authentication. Classic Mode Authentication is what is referred to as Integrated Windows authentication where Active Directory authenticates the user and provides a token that SharePoint uses to get the SPUser object. The SPUser object is what SharePoint uses to perform authorization within the system. In a Claims Mode Authentication scenario we add a second step and take the existing tokens then convert them into SAML tokens and treat it as a unified system and use it within SharePoint as the SPUser object.
  • New claims scenarios will drive support for non-Integrated Windows authentication scenarios with the Office client. The Office client supports these scenarios when the following conditions are met:Office 2007 with Service Pack 2 on Windows XP with Internet Explorer 8, Windows Vista with Service Pack 2 or optionally with Internet Explorer 8, and on Windows 7.Office 2010 on Windows XP with Internet Explorer 8, Windows Vista with Service Pack 2 or optionally with Internet Explorer 8, and on Windows 7.
  • Find the <Configuration> <system.web> sectionAdd the following: (for LDAP provider)<membership defaultProvider="AspNetSqlMembershipProvider">      <providers>        <add name="membership"              type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5"              server="redmond.corp.microsoft.com"              port="389"              useSSL="false"              userDNAttribute="distinguishedName"              userNameAttribute="sAMAccountName"              userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com"              userObjectClass="person"              userFilter="(&(ObjectClass=person))"              scope="Subtree"              otherRequiredUserAttributes="sn,givenname,cn" />      </providers>    </membership>    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >       <providers>        <add name="roleManager"              type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5"             server="redmond.corp.microsoft.com"              port="389"             useSSL="false"             groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com"             groupNameAttribute="cn"             groupNameAlternateSearchAttribute="samAccountName"             groupMemberAttribute="member"             userNameAttribute="sAMAccountName"             dnAttribute="distinguishedName"             groupFilter="(&(ObjectClass=group))"             userFilter="(&(ObjectClass=person))"             scope="Subtree" />      </providers> </roleManager>
  • Open up a SharePoint 4.0 Management Console Create a forms claims Authentication Provider>$ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager"Create a web application>$wa = New-SPWebApplication -Name "Claims Windows Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount "redmond\\appool"  -Urlhttp://servername -Port 80 -AuthenticationProvider $ap*Note The ApplicationPoolAccount needs to be a managed account on the farmModify all Web.config files (Central Admin, Security Token Service, Forms Web App)
  • So when we explore the concept of claims providers we basically have two API’s.The first is augmentation – with this an example would be if you build an application on SharePoint that wants to expose claims - you can put that piece code into SharePoint, for example, such as a CRM system that authorizes on the Sales Manager role. In Office SharePoint Server 2007 you would commonly use Security Groups or write a synchronization engine that copies the roles into a SharePoint Group.New scenarios allow you to take roles directly to security token using a database for example.The more common scenario is searching and resolving claims, basically, getting a user into SharePoint. We’ve made the People Picker more extensible as to what data is shows the user so we can enumerate claims and allow people to select Sales Managers and apply it to an ACL.
  • These resources are provided to help you understand claims-based identity, providing additional reading and ways to participate in claims-based identity discussions.
  • Transcript

    • 1. Claim Based Authentication in SharePoint 2010 A Developers Perspective Joris Poelmans BIWUG @jopxtwits http://jopx.blogspot.com
    • 2. About Me• ECM Unit Manager @ RealDolmen• SharePoint Server MVP• Blog – http://jopx.blogspot.com• Twitter – @jopxtwits• Co-founder BIWUG – www.biwug.be• Co-author – Real World SharePoint 2010 (November 2010, Wrox) – Real World SharePoint 2007 (August 2007, Wrox) – SharePoint 2007, The definitive guide (September 2007, O’Reilly)
    • 3. Register today and save $500 before August 1st Save the date: watch live stream, join local events by MSDN BeluxWin a ticket today at Communiday Day!• Take a picture wearing the BUILD t-shirt.• Tweet or blog the picture, link to www.buildwindows.com, use tag #bldwin• Wear the t-shirt and be there for the closing prize draw http://www.buildwindows.com/
    • 4. Agenda• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with Claims• Trusted Identity Providers
    • 5. Identity vs Claims• Identity – Set of attributes to describe a user• Claim – Information such as name, e-mail address, group membership, etc.• User identity as a set of claims
    • 6. Claims• Claims carry pieces of information about the user Name Claim Age Claim Location Claim Claim Signature
    • 7. Claim-based Terminology• Authentication: act of establishing or confirming something• Authorization: function of specifying access rights to resources• Claim: statement about an identity (attribute: Login Name, AD Group, etc)• Identity: security principal (end user)• Identity Provider (IP): provides authentication for identities, confirms that claims in a token are valid and issues tokens. Can be accessed through a STS.• Issuer: trusted party that creates claims• Issuing Authority: issues security tokens knowing claims desired by target application• Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML)• Security Token Service (STS): builds, signs and issues security tokens carrying claims that describe the caller• Relying Party (RP): application that makes authorization decisions based on claims• Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token• Windows Identity Foundation (aka Geneva): framework for building claims-based applications and services and for implementing federated security scenarios• ADFS 2.0 (aka Geneva Server): Enterprise Identity Provider that exposes a Security Token Service
    • 8. Underlying standards• WS-Federation 1.1 – Provides the architecture for a clean separation between trust mechanisms, security tokens formats and the protocols for obtaining tokens• WS-Trust 1.4 – How to request and receive security tokens• SAML Token 1.1 – XML vocabulary used to represent claims in an interoperable way
    • 9. Why the move to claims?• It decouples SharePoint from authentication provider• Applications can decide which Claims are required and which Identity Provider to trust• Supports multiple authentication providers for one URL• Identity can be passed without Kerberos delegation• It enables federation between organizations
    • 10. Agenda• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
    • 11. CLAIMS VIEWER WEBPARTMULTI-AUTH WEB APPLICATIONSdemo
    • 12. Multi-auth web applications
    • 13. Claims Viewer Web Part
    • 14. Claims Viewer WebPartIClaimsPrincipal claimsPrincipal = Page.User asIClaimsPrincipal;IClaimsIdentity claimsIdentity =(IClaimsIdentity)claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;
    • 15. Encoded Id Example: i:0#.w|contosowbaer – i = Identity Claim all other claims will use “c” as opposed to “i” – : = Colon – 0 = Reserved to support future Claims – #/? = Claim Type Encoded Value. The out of the box claim types will have a hardcoded encoded value, this will enable parity across farms. – E.g. Key: ? Value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier – Key: # Value: http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname – ./0 = Claim Value Type. The out of the box claim value types will have a hardcoded encoded value, this will enable parity across farms. – E.g. Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name – Key: 0 Value: http://www.w3.org/2001/XMLSchema#string – w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted STS, p = personal card, s= local sts claim
    • 16. Claims in SharePoint 2010 Normalizing IdentitiesClassic Claims
    • 17. Claims in SharePoint 2010• Two important scenarios – Incoming claims – Outgoing claims• How do incoming claims work? – Identity token created by external identity STS – SharePoint STS creates claim-based identity – SharePoint STS based on Claims Provider – Incoming claim identity is mapped to SPUser – Authorization of SPUser just like it is in SharePoint 2007
    • 18. Office Applications• Office Client applications now support non-Integrated Windows Authentication• Office 2007 with Service Pack 2 on – Windows XP with Internet Explorer 8 – Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7• Office 2010 on – Windows XP with Internet Explorer 8 – Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7
    • 19. Claim Based Authorization• Use the claims enabled people picker to assign authorizations• Access claims via the IClaimsIdentity interface• Conditionally Display information – based on presence of claim – based on value of claim
    • 20. SELECT CLAIMS IN PEOPLE PICKERCONDITIONALLY DISPLAY INFORMATIONdemo
    • 21. Conditionally display information IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; string pmClaim = (from c in claimsIdentity.Claims where c.ClaimType == CLAIM_TYPE select c.Value).FirstOrDefault(); bool authorized = bool.Parse(pmClaim);
    • 22. Outgoing Claims• What identity is used for code on WFE? – By default, code has claims-based identity – Legacy mode can be used for Windows identity• What are the scenarios? – WFE code calls to application services – WFE code calls to external LOB systems – WFE code calls to external SharePoint farms
    • 23. Outgoing Claims
    • 24. Accessing non-Claims Aware Systems• SQL Server 2008/2008 R2 – Denali is claims aware• Claims to Windows Token Service (C2WTS) – Converts Claims back to a Windows Identity SharePoint LOB Application
    • 25. C2WTS• Install on Server hosting the STS Service Application (Part of WIF)• Local Service by default (also default disabled) – Dependent on Crypto Service (must start first – check out KB2512597)• Read Configure Kerberos Authentication for the C2WTS (SharePoint Server 2010) whitepaper
    • 26. Agenda• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
    • 27. Configure / Upgrade FBA sites• Setup FBA-Claims – Create authentication provider – Create or configure existing web app to use the authentication provider – Add membership / role provider entries to different web configs• Upgrade FBA web applications – User must update web.config(s) – Set the web app/zone to FBA-Claims to trigger user migration
    • 28. Why 3 web.config locations?• Central admin – Needs the references of all providers to enable picking of principals from any provider• STS web.config (Security Token Service app) – Needs the references of all providers in order to • Authenticate user • Get roles of user (which are converted to claims)• FBA Web application web.config – Needs “system claims membership provider” • Automatically configured OOB during install – Customer defined membership / role provider • To enable picking of FBA users & roles
    • 29. Web.config example <Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="LdapMembershipProvider,… server="redmond.corp.microsoft.com" port="389" …/> </providers> </membership> <roleManager enabled="true" defaultProvider=“MyRoleProv" > <providers> <add name="roleManager“ type="LdapRoleProvider, … server="redmond.corp.microsoft.com" … </providers> </roleManager>
    • 30. Upgrade FBA: Powershell sample• $ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager"• $wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount “domainappool" -Url http://servername -Port 80 -AuthenticationProvider $ap• *Note The ApplicationPoolAccount needs to be a managed account on the farm• Modify the Web.config files (Central Admin, Security Token Service, Forms Web App)
    • 31. Agenda• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
    • 32. Common CBA development task• Creating claims provider• Claims providers have two roles – Augmentation • Add additional claims into user token • SharePoint will authorize over these claims – Picking and resolving claims • Provides listing, resolve, search and friendly display of claims functionality in the people picker
    • 33. Developing custom claims providersClaims augmentation• Enables and application to augment additional claims into the user’s token• Custom provider is implemented by inheriting – Microsoft.SharePoint.Administration.Claims.SPClaimsProvider – Use FillClaimsForEntity method• Deployment done by creating feature and feature receiver that derives from – Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiv er class• MSDN Article by Steve Peschka – http://msdn.microsoft.com/en-us/library/ff699494.aspx
    • 34. Developing custom claims providersClaims picker• Provides Listing, Resolve, Search and Friendly display of claims in the People Picker• Custom provider is implemented by inheriting – Microsoft.SharePoint.Administration.Claims.SPClaimsProvid er – Use FillHierarchy, FillResolve, FillSearch method• Deployment done by creating feature and feature receiver that derives from – Microsoft.SharePoint.Administration.Claims.SPClaimsProvid erFeatureReceiver class
    • 35. AUGMENT CLAIMSRESOLVE CLAIMS IN PEOPLE PICKERdemo
    • 36. FillClaimForEntity() method• Parameters – Context (URI) – Current user (userid claim) – Empty list to contain new claims• Called once per session – Token is passed as cookie once issued
    • 37. Entity Values• Domain user – 0#.w|domainuser• FBA user – 0#.f|mbrshipprovidername|user• Be sure to inspect entity when filling Claims
    • 38. SPClaimProvider.CreateClaim()• protected SPClaim CreateClaim(string claimType,string value,string valueType) – claimType Type: String The type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. – value Type: String The value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt. – valueType Type: String The type of value in the claim. These are all URIs that refer to a string.
    • 39. ClaimValueTypesBase64Binar http://www.w3.org/2001/XMLSchema#base64BinaryyBoolean http://www.w3.org/2001/XMLSchema#booleanDate http://www.w3.org/2001/XMLSchema#dateDatetime http://www.w3.org/2001/XMLSchema#dateTimeDaytimeDura http://www.w3.org/TR/2002/WD-xquery-operators-tion 20020816#dayTimeDurationString http://www.w3.org/2001/XMLSchema#string
    • 40. Agenda• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
    • 41. Trusted Identity Providers• Active Directory Federation Services (ADFS 2.0) – Enables identity across organizational boundaries – http://www.microsoft.com/adfs2• Windows Live Id – http://technet.microsoft.com/en- us/library/ff973117.aspx
    • 42. Trusted Identity Providers (Ctd)• OpenID – Must be “Translated” into SAML Claims • WIF code • Pioneering work – http://blogs.southworks.net/mwoloski/2009/07/14/ope nid-ws-fed-protocol-transition-sts/ (Matias Woloski) – https://blogs.pointbridge.com/Blogs/nielsen_travis/Page s/Post.aspx?_ID=34 (Travis Nielsen) – Many OpenID Providers • http://openid.net/get-an-openid/
    • 43. Summary• Claims are the way forward for authentication• Claims enable new scenario’s for authentication and authorization
    • 44. Additional Resources• Recommended Reading – Read more on Claims-based Authentication in the SharePoint Server 2010 IT Professional Evaluation Guide – Plan Authentication Methods (SharePoint Server 2010) on TechNet – Read the article Configure Forms-based Authentication for a Claims- based Web Application on TechNet (This article also provides some good upgrade material.) – Configure the Security Token Service on TechNet – SharePoint and Claims-based Identity on MSDN – A Guide to Claims-Based Identity and Access Control – Claims-Based Identity for Windows – Claims to Windows Token Service Overview (MSDN)

    ×