• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Claims based authentication for mere mortals

Claims based authentication for mere mortals






Total Views
Views on SlideShare
Embed Views



1 Embed 3

http://www.linkedin.com 3


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Claims based authentication for mere mortals Claims based authentication for mere mortals Presentation Transcript

    • #SPSBEClaims based authentication for mere mortals #SPSBE26 Thomas Vochten
    • About me
    • A big thanks to our sponsorsPlatinum SponsorsGold Premium Sponsors Venue SponsorGold Sponsors
    • Agenda• Claims Based Identity• Claims within SharePoint 2010• Claim Providers• Windows Claims• Trusted Provider claims• Federation & Single Sign On• Claims in the Real World
    • Claims based identityWho do you trust?
    • Claims based identity• Not a new concept• Claims provide abstraction• Authentication (AuthN) versus Authorization (AuthZ)• AuthZ decision are based on claims
    • Setting the scene• Claim• Security Token• Identity Provider (IdP)• Relying Party (RP)• Security Token Service (STS)• Realm
    • Name Claim Age Claim Location Claim ClaimSignature
    • AuthN AuthZ
    • Claims within SharePoint 20103 types of claim providers• Windows• Trusted Provider• Forms Based AuthnMultiple Authn providers possible in the same zoneBe sure to be at Service Pack 1 with June 2011 CU minimum
    • Multiple Authentication ProvidersMixed Authentication Multi-Authentication SharePoint SharePoint Farm Farm Web Application Web Application Windows Windows Authentication Zone: Default Authentication Zone: Default Regular label-callout text FBA Authentication Extended Web Application Extended Web Application Zone: Extranet FBA Zone: Extranet SAML Based Authentication Authentication FBA Authentication Extended Web Application Extended Web Application Zone: Intranet ... Zone: Intranet Windows Authentication Extended Web Application Extended Web Application Zone: Internet ... Zone: Internet ... Extended Web Application Extended Web Application Zone: Custom ... Zone: Custom ...
    • Multiple Authentication Providers
    • Identity Normalization
    • Identity Claim Formati:0#.t|federation|thomasvochteni:0#.w|labthomasvochten
    • Claims Providers• Augmentation of claims• Resolution of claims
    • Windows Claims• NTLM or Kerberos• Automatic sign in• Used by SharePoint internally• Claims to Windows Token Service for outbound claims (c2wts)Claims Provider Functions• Augmentation with Windows security groups• People picker does lookups in Active Directory
    • Migrating to Windows Claims• Planning is crucial• Classic to claims only• No way back• 2 step process: Changing the web application to use claims Migrating the user identities
    • Demo Exploring Windows Claims
    • Trusted Provider claims• SharePoint as relying party• Needs an external identity provider such as ADFS• Based on open standards (SAML, WS-*)• Logging in: just a bunch of redirects• Migration not out of the box (custom code needed)Setup• Setup identity provider• Setup trust via PowerShellClaims Provider functions• Nothing out of the box (custom code needed)
    • Trust 3 SharePoint A ut he nt ic 4 at io Identity Provider S n ec R Security Token Service ur eq ity ue (IP-STS) to st k en 5 Service token request Claims Providers 6 Security token response SharePoint ASP.net Client 1Active Directory Requ STS Trust Membership e st R eso urce 2 Auth en ticate Requ est/R SharePoint edire LiveID SAML ct Authorization Based 7 Request Resource with service token
    • Demo Exploring Trusted Provider Claims
    • Federation & Single Sign On• Chain of trusted/trusting identity providers• Multiple use cases extranet access mergers & acquisitions cross-forest authentication• Single Sign On possibilities• Integration with other systems like FIM, UAG or ACS
    • Claims in the real world• When would you use claims based AuthN?• Integration with other applications like Office• Some stuff will break or doesn’t support claims!• Choose your unique ID wisely• You will probably need a custom claims provider• Home realm discovery• Learn to give up control• Test test test
    • Some last considerations…• Use SSL• Kerberos is not dead• Choose your unique ID wisely• Software prerequisites• Token cache settings• No 2 factor AuthN out of the box• Custom claims provider on app server• FAST document preview• Debatable workaround for c2wts• SQL, PowerPivot, PerfPoint, UPA,...• SAML claims has the most functional issues• Next wave of MS products
    • RESOURCES• A guide to claims based identity and access control (2nd edition), MSDN• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet• Steve Peschka’s blogLinks & more resources available on my blog at http://thomasvochten.com
    • We need your feedback! Scan this QR code or visit http://svy.mk/sps2012be Our sponsors: