Your SlideShare is downloading. ×
Claims based authentication for mere mortals
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Claims based authentication for mere mortals


Published on

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. #SPSBEClaims based authentication for mere mortals #SPSBE26 Thomas Vochten
  • 2. About me
  • 3. A big thanks to our sponsorsPlatinum SponsorsGold Premium Sponsors Venue SponsorGold Sponsors
  • 4. Agenda• Claims Based Identity• Claims within SharePoint 2010• Claim Providers• Windows Claims• Trusted Provider claims• Federation & Single Sign On• Claims in the Real World
  • 5. Claims based identityWho do you trust?
  • 6. Claims based identity• Not a new concept• Claims provide abstraction• Authentication (AuthN) versus Authorization (AuthZ)• AuthZ decision are based on claims
  • 7. Setting the scene• Claim• Security Token• Identity Provider (IdP)• Relying Party (RP)• Security Token Service (STS)• Realm
  • 8. Name Claim Age Claim Location Claim ClaimSignature
  • 9. AuthN AuthZ
  • 10. Claims within SharePoint 20103 types of claim providers• Windows• Trusted Provider• Forms Based AuthnMultiple Authn providers possible in the same zoneBe sure to be at Service Pack 1 with June 2011 CU minimum
  • 11. Multiple Authentication ProvidersMixed Authentication Multi-Authentication SharePoint SharePoint Farm Farm Web Application Web Application Windows Windows Authentication Zone: Default Authentication Zone: Default Regular label-callout text FBA Authentication Extended Web Application Extended Web Application Zone: Extranet FBA Zone: Extranet SAML Based Authentication Authentication FBA Authentication Extended Web Application Extended Web Application Zone: Intranet ... Zone: Intranet Windows Authentication Extended Web Application Extended Web Application Zone: Internet ... Zone: Internet ... Extended Web Application Extended Web Application Zone: Custom ... Zone: Custom ...
  • 12. Multiple Authentication Providers
  • 13. Identity Normalization
  • 14. Identity Claim Formati:0#.t|federation|thomasvochteni:0#.w|labthomasvochten
  • 15. Claims Providers• Augmentation of claims• Resolution of claims
  • 16. Windows Claims• NTLM or Kerberos• Automatic sign in• Used by SharePoint internally• Claims to Windows Token Service for outbound claims (c2wts)Claims Provider Functions• Augmentation with Windows security groups• People picker does lookups in Active Directory
  • 17. Migrating to Windows Claims• Planning is crucial• Classic to claims only• No way back• 2 step process: Changing the web application to use claims Migrating the user identities
  • 18. Demo Exploring Windows Claims
  • 19. Trusted Provider claims• SharePoint as relying party• Needs an external identity provider such as ADFS• Based on open standards (SAML, WS-*)• Logging in: just a bunch of redirects• Migration not out of the box (custom code needed)Setup• Setup identity provider• Setup trust via PowerShellClaims Provider functions• Nothing out of the box (custom code needed)
  • 20. Trust 3 SharePoint A ut he nt ic 4 at io Identity Provider S n ec R Security Token Service ur eq ity ue (IP-STS) to st k en 5 Service token request Claims Providers 6 Security token response SharePoint Client 1Active Directory Requ STS Trust Membership e st R eso urce 2 Auth en ticate Requ est/R SharePoint edire LiveID SAML ct Authorization Based 7 Request Resource with service token
  • 21. Demo Exploring Trusted Provider Claims
  • 22. Federation & Single Sign On• Chain of trusted/trusting identity providers• Multiple use cases extranet access mergers & acquisitions cross-forest authentication• Single Sign On possibilities• Integration with other systems like FIM, UAG or ACS
  • 23. Claims in the real world• When would you use claims based AuthN?• Integration with other applications like Office• Some stuff will break or doesn’t support claims!• Choose your unique ID wisely• You will probably need a custom claims provider• Home realm discovery• Learn to give up control• Test test test
  • 24. Some last considerations…• Use SSL• Kerberos is not dead• Choose your unique ID wisely• Software prerequisites• Token cache settings• No 2 factor AuthN out of the box• Custom claims provider on app server• FAST document preview• Debatable workaround for c2wts• SQL, PowerPivot, PerfPoint, UPA,...• SAML claims has the most functional issues• Next wave of MS products
  • 25. RESOURCES• A guide to claims based identity and access control (2nd edition), MSDN• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet• Steve Peschka’s blogLinks & more resources available on my blog at
  • 26. We need your feedback! Scan this QR code or visit Our sponsors: