In this session we will go through the basics of claims based authentication. What is it and what does it bring to the table? We will provide an overview of some basic and more advanced scenarios in which you would want to use claims based authentication. We will also touch upon related concepts like federated identity and single sign-on.
Furthermore, we will cover some real world implementation tips that might come in handy when considering claims based authentication before taking this route. There are some very common issues that you better be aware of.
This session is primarily targeted at SharePoint administrators, e.g. we won't go into details on development topics such as custom claims providers although we will touch upon the subject.
3. A big thanks to our sponsors
Platinum Sponsors
Gold Premium Sponsors Venue Sponsor
Gold Sponsors
4. Agenda
• Claims Based Identity
• Claims within SharePoint 2010
• Claim Providers
• Windows Claims
• Trusted Provider claims
• Federation & Single Sign On
• Claims in the Real World
6. Claims based identity
• Not a new concept
• Claims provide abstraction
• Authentication (AuthN) versus Authorization (AuthZ)
• AuthZ decision are based on claims
7. Setting the scene
• Claim
• Security Token
• Identity Provider (IdP)
• Relying Party (RP)
• Security Token Service (STS)
• Realm
8. Name
Claim
Age
Claim
Location
Claim
Claim
Signature
10. Claims within SharePoint 2010
3 types of claim providers
• Windows
• Trusted Provider
• Forms Based Authn
Multiple Authn providers possible in the same zone
Be sure to be at Service Pack 1 with June 2011 CU minimum
11. Multiple Authentication Providers
Mixed Authentication Multi-Authentication
SharePoint SharePoint
Farm Farm
Web Application Web Application
Windows Windows Authentication
Zone: Default Authentication Zone: Default
Regular label-callout text FBA Authentication
Extended Web Application Extended Web Application
Zone: Extranet FBA Zone: Extranet SAML Based Authentication
Authentication FBA Authentication
Extended Web Application Extended Web Application
Zone: Intranet ... Zone: Intranet Windows Authentication
Extended Web Application Extended Web Application
Zone: Internet ... Zone: Internet ...
Extended Web Application Extended Web Application
Zone: Custom ... Zone: Custom ...
16. Windows Claims
• NTLM or Kerberos
• Automatic sign in
• Used by SharePoint internally
• Claims to Windows Token Service for outbound claims (c2wts)
Claims Provider Functions
• Augmentation with Windows security groups
• People picker does lookups in Active Directory
17. Migrating to Windows Claims
• Planning is crucial
• Classic to claims only
• No way back
• 2 step process:
Changing the web application to use claims
Migrating the user identities
19. Trusted Provider claims
• SharePoint as relying party
• Needs an external identity provider such as ADFS
• Based on open standards (SAML, WS-*)
• Logging in: just a bunch of redirects
• Migration not out of the box (custom code needed)
Setup
• Setup identity provider
• Setup trust via PowerShell
Claims Provider functions
• Nothing out of the box (custom code needed)
20. Trust
3
SharePoint
A
ut
he
nt
ic
4
at
io
Identity Provider
S
n
ec
R
Security Token Service
ur
eq
ity
ue
(IP-STS)
to
st
k
en
5 Service token request Claims
Providers
6 Security token response
SharePoint
ASP.net Client 1
Active Directory Requ STS Trust
Membership e st R
eso urce
2 Auth
en ticate
Requ
est/R SharePoint
edire
LiveID SAML ct Authorization
Based
7 Request Resource with
service token
22. Federation & Single Sign On
• Chain of trusted/trusting identity providers
• Multiple use cases
extranet access
mergers & acquisitions
cross-forest authentication
• Single Sign On possibilities
• Integration with other systems like FIM, UAG or ACS
23.
24. Claims in the real world
• When would you use claims based AuthN?
• Integration with other applications like Office
• Some stuff will break or doesn’t support claims!
• Choose your unique ID wisely
• You will probably need a custom claims provider
• Home realm discovery
• Learn to give up control
• Test test test
25. Some last considerations…
• Use SSL
• Kerberos is not dead
• Choose your unique ID wisely
• Software prerequisites
• Token cache settings
• No 2 factor AuthN out of the box
• Custom claims provider on app server
• FAST document preview
• Debatable workaround for c2wts
• SQL, PowerPivot, PerfPoint, UPA,...
• SAML claims has the most functional issues
• Next wave of MS products
26. RESOURCES
• A guide to claims based identity and access control (2nd edition), MSDN
• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet
• Steve Peschka’s blog
Links & more resources available on my blog at http://thomasvochten.com
27. We need your feedback!
Scan this QR code or visit
http://svy.mk/sps2012be
Our sponsors: