Claims-Based Identity in SharePoint 2010


Published on

Danny Jessee's presentation on Claims-based identity in SharePoint 2010 for SharePoint Saturday Virginia Beach (SPSVB) January 7, 2012.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
  • WS-Trust: how to request and receive security tokensWS-Federation: architecture for cleanseparation between trust mechanisms, security tokens formats, and the protocols for obtaining tokensSAML: XML vocabulary used to represent claims in an interoperable way
  • Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  • Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  • Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  • As you plan custom claims providers for use with People Picker in your SharePoint solution, consider the following questions:What will be the source of the values for the users and roles that will be displayed in People Picker query results?What claim data do you want to resolve in the Select People and Groups dialog box?You don’t necessarily need to go through the API or PowerShell, if you have a connection to an LDAP store or a BCS connection to your auth store. You can also map the properties yourself and leave it to the User Profile Synchronization service. That being said, if you’re dependent on BCS then you’ll also need to have SharePoint Enterprise Server license which isn’t available to all customers.Once you’re done you should be able to visit any of the users in your site collection and see their “Name” property set to something that is less likely to confuse your user base. Once the value is set, it helps to make sure that it doesn’t get stomped with any User Profile Synchronization (UPS) that may be in place in your farm.
  • So basically the ticket was issued by ACS/upstream identity provider for 10 minutes, SharePoint checks it a millisecond later and says, wall this ticket expires in less time that my expiration window, so go get a new ticket from ACS.
  • And, of course, always test testtest…
  • Claims-Based Identity in SharePoint 2010

    1. 1. A real-world perspective on Claims-Based Identity in SharePoint 2010
    2. 2.  SharePoint Evangelist at Circinus  Northern Virginia-based SDVOSB Senior developer on SharePoint deployments for government and DoD customers since 2004  I get involved with administration when I have to… MCPD – SharePoint Developer 2010 MCTS – SharePoint 2010 Configuration CloudShare Honorary MVP for 2011 Twitter: @dannyjessee Blog:
    3. 3.  Features of a Secure Application SharePoint 2010 Authentication Options Claims Terminology/Technology Overview Demos  New SharePoint 2010 Web Application  Azure AppFabric ACS Trusted Identity Provider – Facebook  Further integration of Facebook with SharePoint Claims “Gotchas”  General issues for all Claims implementations  Migration issues from MOSS to SharePoint 2010  Claims Behaving Badly Recommendations
    4. 4.  Authentication is the process of validating a user’s identity  SharePoint never performs authentication If the login prompt keeps appearing, think authentication issue!  Unless it’s the dreaded loopback check!
    5. 5.  Authorization is the process of determining the resources, features, etc. to which a user has access If you see “Access Denied” errors, think authorization issue!
    6. 6.  The single biggest decision of your life! TechNet guidance:  “For new implementations of SharePoint Server 2010, you should consider claims-based authentication.”
    7. 7.  Claims Based Authentication (Tokens)  Windows Authentication: NTLM/Kerberos, Basic  Forms-Based Authentication (ASP.NET Membership provider and Role manager)  Trusted Identity providers  Custom sign-in page Classic Mode Authentication (“Old School”)  Windows Authentication (NTLM/Kerberos) only Both map authenticated users to SPUser objects (security principals)
    8. 8.  What is a claim?  A piece of information describing a user ▪ Name ▪ Email Address ▪ Role/Group membership ▪ Age ▪ Hire Date Whose claims do I trust, and which claims affect authorization decisions I make?
    9. 9.  Token  Serialized set of claims about an authenticated user, digitally signed by the token’s issuer Identity Provider-Security Token Service (IP-STS)  Validates user credentials  Builds, signs, and issues tokens containing claims Relying party (RP)  Applications that makes authorization decisions based on claims (SharePoint 2010)
    10. 10.  Decoupling of authentication logic from authorization and personalization logic  Applications no longer need to determine who the user is, they receive claims identifying the user  Great for developers who rarely want to work with identity! Provides a common way for applications to acquire the identity information they need about users
    11. 11. 1. “I’d like to access the budget document.”2. “Not until you can prove to me that you are in the Finance group.”3. “Here is my user ID and password.”4. “Hi, Danny. I see you are in the Finance group. Here is a token you can use.”5. “I’d like to access the budget document, and here’s proof I have access to it!” SharePoint 2010
    12. 12.  WS-Trust, WS-Federation, SAML  Requesting/receiving tokens  XML representation of claims These emerging technologies have been around for awhile  Their use in Claims-Based Identity represents a new approach for handling identity in applications  Great potential in corporate environments ▪ Active Directory Federation Services, external LDAP, etc.  Great potential as we move to the cloud ▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
    13. 13.  Visual Web Part Code behind:IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;Page.DataBind();
    14. 14.  Similar to FBA setup for MOSS, with some exceptions:  Authentication provider does not need to be mapped to a separate zone  One additional Web.config to modify: ▪ C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityToken ▪ Add entries for connection string, Membership provider, Role manager ▪ Same modifications for Central Admin and web app
    15. 15.  Allows users to choose how to authenticate when multiple providers are configured (Mixed Authentication) Custom code opportunity  sharepoint-2010-mixed-authentication-automatic- login.aspx
    16. 16. Demo #1
    17. 17.  Cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications Includes support for Windows Live ID, Google, Yahoo, and Facebook Includes support for Active Directory Federation Services (AD FS) 2.0 Simple browser-based management portal $1.99/100k transactions (free until Nov. 30!)
    18. 18.  Three things must be done to add support for Facebook login to SharePoint:1. Create a Facebook application  Configure ACS for Facebook support  Permissions you will request from Facebook users  Relying Party application and Rule Group setup3. Configure ACS as a Trusted Identity Provider in SharePoint
    19. 19. Demo #2
    20. 20.  Click “Create New App” Provide Display Name and Namespace Note App ID and App Secret values Provide Website URL to ACS
    21. 21. Demo #3
    22. 22.  From the ACS management portal, add a new Identity Provider
    23. 23.  Enter App ID and App Secret values from Facebook application you created earlier Enter a comma-delimited list of Application Permissions you want to request  api/permissions/ In our demo, we will request:  email,user_location,user_hometown,user_website, user_work_history,publish_stream,user_birthday, friends_birthday
    24. 24.  Permissions you request will be displayed to the end user the first time they log in Request the minimum subset of permissions you will need  Users are more likely to reject bigger requests
    25. 25.  Generate Rule Group  Named set of claim rules that define which identity claims are passed from identity providers to your relying party application SharePoint will still need to be configured to make use of these claims
    26. 26.  Configure Relying Party application Provide Name, Realm, and Return URL  Return URL: Realm + /_trust
    27. 27.  Choose SAML 1.1 token format Update Token lifetime to >600 seconds Select Identity providers and Rule groups
    28. 28.  Generate self-signed certificate  C:Program FilesMicrosoft Office Servers14.0Tools>MakeCert.exe -r -pe -n "" -sky exchange -ss my  Self-signed, exportable, subject key type “exchange,” store in my personal certificate store Development only! Please use a legitimate certificate in production!
    29. 29.  Upload this certificate (.pfx format) as the Token Signing Certificate in ACS
    30. 30. Demo #4
    31. 31.  New-SPTrustedRootAuthority  Name, Certificate (self-signed .cer made earlier) New-SPClaimTypeMapping  IncomingClaimType  IncomingClaimTypeDisplayName  LocalClaimType (or SameAsIncoming) New-SPTrustedIdentityTokenIssuer  Name, Realm, ImportTrustCertificate  ClaimsMappings, SignInUrl, IdentifierClaim
    32. 32.  Running this PowerShell script will add “Azure ACS v2” to the list of Trusted Identity Providers Eligible to be added to Claims-based web applications in Central Administration
    33. 33. Demo #5
    34. 34.  All claims whose OriginalIssuer is TrustedProvider:Azure ACS v2 AccessToken is the key to all user data
    35. 35.  Encapsulates calls to the Facebook Graph API  api/  Retrieve data about the user and his/her friends  Upload photos/videos, post status messages  Data returned from Facebook in JSON format  Requests to ▪ me/feed, me/friends, me/photos, me/videos
    36. 36.  SharePoint maintains its own certificate store where separate trusts must be configured 12/required-trust-relationships-for-the- facebook-c-sdk-in-sharepoint-2010/ Need to upload two certificates into SharePoint (CA > Security > Manage Trust):  DigiCert High Assurance EV Root CA  DigiCert High Assurance CA-3
    37. 37. Demo #6
    38. 38.  Code snippets in these slides are not complete  Do not include proper error checking/handling  Do not include RunWithElevatedPrivileges() delegates where appropriate Please download the code  Do not copy and paste from these slides  I will Tweet the link and update this slide deck to include it
    39. 39.  Returned in a claim from Facebook  A new AccessToken is issued each login  Our key to all of the data about the logged in user  Required for all calls to the Facebook Graph API Two hour lifetime by default To leverage this token across the site, I store it in the SPWeb.AllProperties property bag  web.AllProperties[“fbAccessToken_{loginname}”]  AllProperties required for case sensitivity
    40. 40.  Changing to Initial display name for the SPUser is in Claims- encoded format (more on this later) Want to make this more user-friendlyif (SPContext.Current.Web.CurrentUser == null){ SPUser user = web.EnsureUser("i:" + claimsIdentity.Name); currentUser.Name = givenName; currentUser.Update();}
    41. 41. var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");JsonObject location = me["location"] as JsonObject;myLocation = (string)location["name"]; myLocation is in City, State format Parsed and sent to Weather Underground API [key]/ geolookup/conditions/forecast/q/[state]/ [city].json
    42. 42. var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");SPList lstContacts = web.Lists["Contacts"];SPListItem item = lstContacts.Items.Add();item["First Name"] = (string)me["first_name"];item["Last Name"] = (string)me["last_name"];JsonArray work = me["work"] as JsonArray;// Most recent/current employer stored in work[0]JsonObject company = work[0] as JsonObject;JsonObject employer = company["employer"] as JsonObject;JsonObject position = company["position"] as JsonObject;item["Company"] = (string)employer["name"];item["Job Title"] = (string)position["name"];item.SystemUpdate();
    43. 43. var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me/friends?fields=name,birthday");JsonArray friendData = me["data"] as JsonArray;foreach (JsonObject friend in friendData){ if (friend.ContainsKey("birthday")) { /* Some users share MM/DD of birthday, others share MM/DD/YYYY We only care about MM/DD for our purposes, and Facebook always pads with leading zeros */ string birthday = (string)friend["birthday"]; birthMonth = int.Parse(birthday.Substring(0, 2)); birthDate = int.Parse(birthday.Substring(3, 2)); ...
    44. 44. SPList lstCalendar = web.Lists["Calendar"];SPListItem birthdayItem = lstCalendar.Items.Add();birthdayItem["Title"] = name + (name.EndsWith("s") ? " birthday" :"s birthday");birthdayItem["EventDate"] = dtBirthday;birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;birthdayItem[SPBuiltInFieldId.EventType] = 1;birthdayItem[SPBuiltInFieldId.fRecurrence] = true;birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;string recurrence ="<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +"<repeat><yearly yearFrequency=1 month=" + birthMonth.ToString()+ " day=" + birthDate.ToString() + " /></repeat>" +"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";birthdayItem["RecurrenceData"] = recurrence;birthdayItem.SystemUpdate();
    45. 45. var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string,object>();dict.Add("message", "I just posted this from SharePoint!");dict.Add("link","");dict.Add("picture","");dict.Add("name", "SharePoint Saturday Virginia Beach");dict.Add("caption", "January 7, 2012");dict.Add("description", "Come see my presentation aboutClaims-Based Identity in SharePoint 2010 at SPSVB!");client.PostAsync("me/feed", dict);
    46. 46. var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string,object> { { "title", "I know how to post videos toFacebook...from SharePoint!" }, { "description", "See more at SPSVB Saturday, January7, 2012!" }, { "vid1", new FacebookMediaObject { ContentType ="video/x-flv", FileName = "facebook.flv"}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }};client.PostAsync("me/videos", dict);
    47. 47.  Silverlight application courtesy MossLover Interfaces with the user’s webcam, saves captured images to document library
    48. 48.  Added event handler to upload to Facebookstring contentType = "image/jpeg";var client = new Facebook.FacebookClient(fbAccessToken);Dictionary<string, object> dict = new Dictionary<string,object> { { "message", "Uploaded picture from Silverlight webcamimage capture in SharePoint!" }, { "pic1", new FacebookMediaObject { ContentType =contentType, FileName = properties.ListItem.File.Name}.SetValue(properties.ListItem.File.OpenBinary()) }};client.PostAsync("me/photos", dict);
    49. 49.  General issues for all Claims implementations  Search crawler requires NTLM in the zone it uses  “People picker” is more of a Claims “expression editor” ▪ Custom code opportunity  User Profiles ▪ LDAP or BCS connection to authentication store  Office client integration (2007 SP2+, 2010) ▪ IE 8+: Trusted Sites  No document previews with FAST Search
    50. 50. “After migrating to Claims inSharePoint 2010, most of our userswere able to log in some of the time.” —A less-than-thrilled system administrator
    51. 51.  Migration from MOSS to SharePoint 2010  Migrate FBA Users ▪ $wa = get-SPWebApplication $WebAppName ▪ $wa.MigrateUsers($true)  Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format ▪ $wa.Properties["portalsuperuseraccount"] = "i:0#.w|domainapppool" ▪ $wa.Properties["portalsuperreaderaccount"] = "i:0#.w|domainapppool" ▪ $wa.Update()  Must migrate all providers from MOSS to 2010 ▪ i.e., NTLM and FBA if both existed prior to migration
    52. 52.  “Funky” display of usernames  i:0#.w|SHRPNTAdministrator  i:0#.f|CustomMembershipProvider|username  i:0#.t|selfsts| ▪ i: Microsoft.SharePoint.Administration.Claims. SPClaimsAuthMembershipProvider (Web.config) ▪ windows, forms, trusted Identity Provider
    53. 53.  Set DisplayName property of SPUser  $user = Get-SPUser -Web http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"  $user.DisplayName = "John Doe"  $user.Update() Can also be done via SharePoint object model
    54. 54.  Session expiration issues with SAML Claims  Users can come back to the page hours later without having to log in again  SharePoint creates a FedAuth cookie (written to disk) that is not a Session cookie by default ▪ $sts = Get-SPSecurityTokenServiceConfig ▪ $sts.UseSessionCookies = $true ▪ $sts.Update()
    55. 55.  Continuous redirection to/from login page  This can happen when the TokenLifetime is less than the LogonTokenCacheExpirationWindow ▪ Default LogonTokenCacheExpirationWindow in SharePoint 2010 STS is 10 minutes ▪ Default Token Lifetime in Azure ACS is also 10 minutes ▪ $sts = Get-SPSecurityTokenServiceConfig ▪ $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1) ▪ $sts.Update()
    56. 56.  Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once)  Check the ULS logs! ▪ Could be token expiration timeout ▪ Could be something else
    57. 57.  SPSecurityTokenService.Issue() failed: System.Runtime.InteropServices. COMException (0x800703FA): Retrieving the COM class factory for component with CLSID {BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA.  GPEdit: Computer Configuration > Administrative Templates > System > User Profiles ▪ Do not forcefully unload the users registry at user logoff > Set to “Enabled”
    58. 58.  Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment  Particularly if strict security controls are in place that are beyond your control  Especially if you are only migrating from Windows authentication in MOSS  Once you go to Claims, you can’t go back!
    59. 59.  If you must use Claims for your Extranet, try to minimize the number of zones/host headers used  Default zone should be most secure Have a good “troubleshooter’s toolbox”  ULS Log Viewer  Fiddler  Claims Viewer web part
    60. 60.  Shane Young – my hero!  Plan Authentication Methods (SharePoint Server 2010)  us/library/cc262350.aspx A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices) 
    61. 61.  Writing Claims Providers for SharePoint 2010  us/library/ff699494.aspx Implementing Claims-Based Authentication with SharePoint Server 2010  spx?id=27569
    62. 62.  Transparent Login with Mixed Authentication  6/23/sharepoint-2010-mixed-authentication- automatic-login.aspx C# Facebook SDK  Azure ACS and Facebook  us/library/gg185967.aspx
    63. 63.  Steve Peschka  0/06/12/migrating-a-web-application-from- windows-classic-to-windows-claims-in- sharepoint-2010.aspx  us/library/hh147183.aspx Project Server Blog (GREAT tips for migrating to Claims here!!!) 
    64. 64.  SelfSTS and Vittorio Bertocci   8/23/selfsts-when-you-need-a-saml-token-now- right-now.aspx Paul Schaeflein  spx?ID=4
    65. 65.  Claims Viewer web part  /Pages/Post.aspx?_ID=32 Fiddler  SharePoint ULS Log Viewers  
    66. 66.  Azure ACS Integration  ve/2011/04/21/windows-azure-access-control- services-federation-with-facebook.aspx  1-07-29/20983.html Robert Bogue 