Claims-Based Identity in SharePoint 2010


Published on

An overview of Claims-Based Identity in SharePoint 2010 with a discussion of issues encountered during a migration from MOSS and recommendations for new implementations. Presented by Danny Jessee at the SUGDC meeting during SPSTCDC on August 11, 2011.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
  • WS-Trust: how to request and receive security tokensWS-Federation: architecture for cleanseparation between trust mechanisms, security tokens formats, and the protocols for obtaining tokensSAML: XML vocabulary used to represent claims in an interoperable way
  • Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  • Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  • Configure TIP through PowerShell.
  • As you plan custom claims providers for use with People Picker in your SharePoint solution, consider the following questions:What will be the source of the values for the users and roles that will be displayed in People Picker query results?What claim data do you want to resolve in the Select People and Groups dialog box?You don’t necessarily need to go through the API or PowerShell, if you have a connection to an LDAP store or a BCS connection to your auth store. You can also map the properties yourself and leave it to the User Profile Synchronization service. That being said, if you’re dependent on BCS then you’ll also need to have SharePoint Enterprise Server license which isn’t available to all customers.Once you’re done you should be able to visit any of the users in your site collection and see their “Name” property set to something that is less likely to confuse your user base. Once the value is set, it helps to make sure that it doesn’t get stomped with any User Profile Synchronization (UPS) that may be in place in your farm.
  • And, of course, always test testtest…
  • Claims-Based Identity in SharePoint 2010

    1. 1. All It “Claims” to Be?<br />A real-world perspective on Claims-Based Identity in SharePoint 2010<br />Danny Jessee<br />SharePoint User Group of Washington, DC – August 11, 2011<br />
    2. 2. Who Am I?<br />SharePoint Evangelist at Circinus<br />Northern Virginia-based SDVOSB<br />Senior developer on SharePoint deployments for government and DoD customers since 2004<br />I get involved with administration when I have to…<br />MCTS – SharePoint 2010 Application Development<br />CloudShare Honorary MVP for 2011<br />Twitter: @dannyjessee<br />Blog:<br />
    3. 3. Agenda<br />Features of a Secure Application<br />SharePoint 2010 Authentication Options<br />Claims Terminology/Technology Overview<br />Demos<br />SharePoint 2010 Web Application with FBA<br />Adding Azure ACS-based Trusted Identity Providers<br />“Gotchas”<br />General issues for all Claims implementations<br />Migration issues from MOSS to SharePoint 2010<br />Claims Behaving Badly<br />Recommendations<br />
    4. 4. Features of aSecure Application<br />Authentication is the process of validating a user’s identity<br />SharePoint never performs authentication<br />If the login prompt keeps appearing, think authentication issue!<br />
    5. 5. Features of aSecure Application<br />Authorization is the process of determining the resources, features, etc. to which a user has access<br />SPUserobject – security principal<br />If you see “Access Denied” errors, think authorization issue!<br />
    6. 6. Authentication Options in SharePoint 2010<br />The single biggest decision of your life!<br />TechNet guidance:<br />“For new implementations of SharePoint Server 2010, you should consider claims-based authentication.”<br />
    7. 7. Authentication Options in SharePoint 2010<br />Claims Based Authentication (Tokens)<br />Windows Authentication: NTLM/Kerberos, Basic<br />Forms-Based Authentication (ASP.NET Membership provider and Role manager)<br />Trusted Identity providers<br />Custom sign-in page<br />Classic Mode Authentication (“Old School”)<br />Windows Authentication (NTLM/Kerberos) only<br />Both map authenticated users to SPUser objects (security principals)<br />
    8. 8. Claims-Based IdentityConcepts<br />What is a claim?<br />A piece of information describing a user<br />Name<br />Email Address<br />Role/Group membership<br />Age<br />Hire Date<br />Whose claims do I trust, and which claims affect authorization decisions I make?<br />
    9. 9. Claims-Based IdentityTerminology<br />Token<br />Serialized set of claims about an authenticated user, digitally signed by the token’s issuer<br />Identity Provider-Security Token Service (IP-STS)<br />Validates user credentials<br />Builds, signs, and issues tokens containing claims<br />Relying party (RP) <br />Applications that makes authorization decisions based on claims (SharePoint 2010)<br />
    10. 10. The Claims Paradigm<br />Decoupling of authentication logic from authorization and personalization logic<br />Applications no longer need to determine who the user is, they receive claims identifying the user<br />Great for developers who rarely want to work with identity!<br />Provides a common way for applications to acquire the identity information they need about users <br />
    11. 11. The Claims Paradigm<br />“I’d like to access the budget document.”<br />“Not until you can prove to me that you are in the Finance group.”<br />“Here is my user ID and password.”<br />“Hi, Danny. I see you are in the Finance group. Here is a token you can use.”<br />“I’d like to access the budget document,and here’s proof I have access to it!”<br />SharePoint 2010<br />
    12. 12. Claims-Based IdentityTechnologies<br />WS-Trust, WS-Federation, SAML<br />Requesting/receiving tokens<br />XML representation of claims<br />These emerging technologies have been around for awhile<br />Their use in Claims-Based Identity represents a new approach for handling identity in applications<br />Great potential in corporate environments<br />Active Directory Federation Services, external LDAP, etc.<br />Great potential as we move to the cloud<br />Azure ACS: Facebook, Google, Windows Live ID, etc.<br />
    13. 13. Almost Demo Time!<br />
    14. 14. Claims Viewer Web Part<br />Visual Web Part<br />Code behind:<br /><br />IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal;<br />IClaimsIdentityclaimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;<br />GridView1.DataSource = claimsIdentity.Claims;Page.DataBind();<br />
    15. 15. FBA in SharePoint 2010<br />Similar to FBA setup for MOSS, with some exceptions:<br />Authentication provider does not need to be mapped to a separate zone<br />One additional Web.config to modify:<br />C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityToken<br />Add entries for connection string, Membership provider, Role manager<br />Same modifications for Central Admin and web app<br />
    16. 16. Sign-In Page<br />Allows users to choose how to authenticate when multiple providers are configured(Mixed Authentication)<br />Custom code opportunity<br /><br />
    17. 17. New SharePoint 2010 Web Application with Claims/FBA<br />Demo #1<br />
    18. 18. Adding Facebook Support<br /><ul><li></li></ul>Create an account on AppFabric Labs<br /><br />Use the Facebook Developer application to create your own new application<br />
    19. 19. Adding Facebook Support<br />Note the App ID and App Secret values<br />Assign a “Privacy Policy” URL<br />Grant Permissions to generate Access Token<br />Choose “Web” in left navigation, enter values for Site URL and Site Domain<br />Based on your AppFabric Labs account<br />
    20. 20. Adding Facebook Support<br />Generate self-signed certificate<br />C:Program FilesMicrosoft Office Servers14.0Tools>MakeCert.exe -r -pe -n "" -sky exchange -ssmy<br />Development only! Do not do in production!<br />
    21. 21. Adding Facebook Support<br />Upload Token Signing Certificate<br />
    22. 22. Adding Facebook Support<br />From Azure ACS, choose Add Identity Provider, then choose Facebook application<br />Enter Application ID, Application secret, and Application permissions<br />
    23. 23. Adding Facebook Support<br />Configure Relying Party Application settings<br />
    24. 24. Adding Facebook Support<br />Configure Rule Groups<br />
    25. 25. Adding Azure ACSTrusted Identity Providers<br />Demo #2<br />
    26. 26. Adding Facebook Support<br />In case the Internet didn’t work:<br />
    27. 27. Adding Facebook Support<br />In case the Internet didn’t work:<br />
    28. 28. Adding Facebook Support<br />In case the Internet didn’t work:<br />
    29. 29. Claims “Gotchas”<br />
    30. 30. Claims “Gotchas”<br />General issues for all Claims implementations<br />Search crawler requires NTLM in the zone it uses<br />“People picker” is more of a Claims “expression editor”<br />Custom code opportunity (Custom Claims Provider)<br />User Profiles<br />LDAP or BCS connection to authentication store<br />Office client integration (2007 SP2+, 2010)<br />IE 8+: Trusted Sites<br />
    31. 31. Real-Life Testimonial<br />“After migrating to Claims in SharePoint 2010, most of our users were able to log in some of the time.”<br />—A less-than-thrilled system administrator<br />
    32. 32. Claims “Gotchas”<br />Migration from MOSS to SharePoint 2010<br />Migrate FBA Users<br />$wa = get-SPWebApplication $WebAppName<br />$wa.MigrateUsers($true)<br />Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format<br />$wa.Properties["portalsuperuseraccount"] = "i:0#.w|domainapppool"<br />$wa.Properties["portalsuperreaderaccount"] = "i:0#.w|domainapppool"<br />$wa.Update()<br />Must migrate all providers from MOSS to 2010<br />i.e., NTLM and FBA if both existed prior to migration<br />
    33. 33. Claims Behaving Badly<br />“Funky” display of usernames<br />i:0#.w|SHRPNTAdministrator<br />i:0#.f|CustomMembershipProvider|username<br />i:0#.t|selfsts|<br />i: Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider (Web.config)<br />Windows, Forms, Trusted Identity Provider<br />
    34. 34. Claims Behaving Badly<br />Set DisplayNameproperty of SPUser<br />$user = Get-SPUser -Web http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"<br />$user.DisplayName = "John Doe"<br />$user.Update()<br />
    35. 35. Claims Behaving Badly<br />Session expiration issues with SAML Claims<br />Users can come back to the page hours later without having to log in again<br />SharePoint creates a FedAuth cookie (written to disk) that is not a Session cookie by default<br />$sts = Get-SPSecurityTokenServiceConfig<br />$sts.UseSessionCookies= $true<br />$sts.Update()<br />Set/update TokenLifetimeproperty (minutes)<br />Set-ADFSRelyingPartyTrust -TargetName "SPS 2010 ADFS" -TokenLifetime 5<br />
    36. 36. Claims Behaving Badly<br />Continuous redirection to/from login page<br />This can happen when the TokenLifetimeis less than the LogonTokenCacheExpirationWindow<br />Default LogonTokenCacheExpirationWindowin SharePoint 2010 STS is 10 minutes<br />$sts = Get-SPSecurityTokenServiceConfig<br />$sts.LogonTokenCacheExpirationWindow =(New-TimeSpan -minutes 4)<br />$sts.Update()<br />
    37. 37. Claims Behaving Badly<br />Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once)<br />Check the ULS logs!<br />Could be token expiration timeout<br />Could be something else<br />
    38. 38. Claims Behaving Badly<br />SPSecurityTokenService.Issue() failed:System.Runtime.InteropServices.COMException (0x800703FA): Retrieving theCOM class factory for component with CLSID{BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA.<br />GPEdit: Computer Configuration > Administrative Templates > System > User Profiles<br />Do not forcefully unload the users registry at user logoff > Set to “Enabled”<br />
    39. 39. Claims Recommendations<br />
    40. 40. Claims Recommendations<br />Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment<br />Particularly if strict security controls are in place that are beyond your control<br />Especially if you are only migrating from Windows authentication in MOSS<br />Once you go to Claims, you can’t go back!<br />
    41. 41. Claims Recommendations<br />If you must use Claims for your Extranet,try to minimize the number of zones/host headers used<br />Default zone should be most secure<br />Have a good “troubleshooter’s toolbox”<br />ULS Log Viewer<br />Fiddler<br />Claims Viewer web part<br />
    42. 42. Thanks for your time!See me perform at “SharePoint Got Talent”tomorrow night at 8:30!<br />
    43. 43. References & Credits<br />Shane Young – my hero!<br /><br />Plan Authentication Methods(SharePoint Server 2010)<br /><br />A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices)<br /><br />
    44. 44. References & Credits (cont.)<br />Steve Peschka<br /><br /><br />Project Server Blog (GREAT tips for migrating to Claims here!!!)<br /><br />
    45. 45. References & Credits (cont.)<br />Azure ACS Integration<br /><br /><br />Robert Bogue<br /><br />
    46. 46. References & Credits (cont.)<br />SelfSTS and Vittorio Bertocci<br /><br /><br />Paul Schaeflein<br /><br />
    47. 47. References & Credits (cont.)<br />Claims Viewer web part<br /><br />Fiddler<br /><br />SharePoint ULS Log Viewers<br /><br /><br />
    48. 48. References & Credits (cont.)<br />Transparent Login with Mixed Authentication<br /><br />