3. Features of a Secure Application
SharePoint 2010 Authentication Options
Claims Terminology/Technology Overview
Demos
New SharePoint 2010 Web Application
Azure AppFabric ACS Trusted Identity Provider –
Facebook
Further integration of Facebook with SharePoint
via the Facebook C# SDK (now deprecated)
4. Authentication is the process of validating a
user’s identity
SharePoint never performs authentication
If the login prompt keeps appearing, think
authentication issue!
Unless it’s the dreaded
loopback check!
5. Authorization is the process of determining
the resources, features, etc. to which a user
has access
If you see “Access Denied” errors, think
authorization issue!
6. The single biggest decision of your life!
TechNet guidance:
“For new implementations of SharePoint Server
2010, you should consider claims-based
authentication.”
7. Claims Based Authentication (Tokens)
Windows Authentication: NTLM/Kerberos, Basic
Forms-Based Authentication (ASP.NET
Membership provider and Role manager)
Trusted Identity providers
Custom sign-in page
Classic Mode Authentication (“Old School”)
Windows Authentication (NTLM/Kerberos) only
Both map authenticated users to SPUser
objects (security principals)
8. What is a claim?
A piece of information describing a user
▪ Name
▪ Email Address
▪ Role/Group membership
▪ Age
▪ Hire Date
Whose claims do I trust, and which claims
affect authorization decisions I make?
9. Token
Serialized set of claims about an authenticated user,
digitally signed by the token’s issuer
Identity Provider-Security Token Service (IP-STS)
Validates user credentials
Builds, signs, and issues tokens containing claims
Relying party (RP)
Applications that makes authorization decisions based
on claims (SharePoint 2010)
10. Decoupling of authentication logic from
authorization and personalization logic
Applications no longer need to determine who the
user is, they receive claims identifying the user
Great for developers who rarely want to work
with identity!
Provides a common way for applications to
acquire the identity information they need
about users
11. 1. “I’d like to access the budget document.”
2. “Not until you can prove to me that you
are in the Finance group.”
3. “Here is my user ID and password.”
4. “Hi, Danny. I see you are in the Finance
group. Here is a token you can use.”
5. “I’d like to access the budget document,
and here’s proof I have access to it!”
SharePoint 2010
12. WS-Trust, WS-Federation, SAML
Requesting/receiving tokens
XML representation of claims
These emerging technologies have been around
for awhile
Their use in Claims-Based Identity represents a new
approach for handling identity in applications
Great potential in corporate environments
▪ Active Directory Federation Services, external LDAP, etc.
Great potential as we move to the cloud
▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
13.
14. Visual Web Part
Code behind:
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
Page.DataBind();
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
15. Similar to FBA setup for MOSS, with some
exceptions:
Authentication provider does not need to be
mapped to a separate zone
One additional Web.config to modify:
▪ C:Program FilesCommon FilesMicrosoft SharedWeb
Server Extensions14WebServicesSecurityToken
▪ Add entries for connection string, Membership provider,
Role manager
▪ Same modifications for Central Admin and web app
16. Allows users to choose how to authenticate
when multiple providers are configured
(Mixed Authentication)
Custom code opportunity
http://www.orbitone.com/en/blog/archive/2010/06/23/
sharepoint-2010-mixed-authentication-automatic-
login.aspx
19. Cloud-based service that provides an easy
way of authenticating and authorizing users
to gain access to web applications
Includes support for Windows Live ID,
Google, Yahoo, and Facebook
Includes support for Active Directory
Federation Services (AD FS) 2.0
Simple browser-based management portal
$1.99/100k transactions (free until Nov. 30!)
20. Three things must be done to add support for
Facebook login to SharePoint:
1. Create a Facebook application
https://developers.facebook.com/apps
2. Configure ACS for Facebook support
Permissions you will request from Facebook users
Relying Party application and Rule Group setup
3. Configure ACS as a Trusted Identity Provider
in SharePoint
24. From the ACS management portal, add a new
Identity Provider
25. Enter App ID and App Secret values from
Facebook application you created earlier
Enter a comma-delimited list of Application
Permissions you want to request
https://developers.facebook.com/docs/reference/
api/permissions/
In our demo, we will request:
email,user_location,user_hometown,user_website,u
ser_work_history,publish_stream,user_birthday,fr
iends_birthday
26. Permissions you request will be displayed to
the end user the first time they log in
Request the minimum subset of permissions
you will need
Users are more likely to reject bigger requests
27. Generate Rule Group
Named set of claim rules that define which
identity claims are passed from identity providers
to your relying party application
SharePoint will still need to be configured to
make use of these claims
28. Configure Relying Party application
Provide Name, Realm, and Return URL
Return URL: Realm + /_trust
29. Choose SAML 1.1 token format
Update Token lifetime to >600 seconds
Select Identity providers and Rule groups
30. Generate self-signed certificate
C:Program FilesMicrosoft Office
Servers14.0Tools>MakeCert.exe -r -pe -n
"CN=dannyjessee.accesscontrol.windows.net"
-sky exchange -ss my
Self-signed, exportable, subject key type
“exchange,” store in my personal certificate store
Development only! Please use a legitimate
certificate in production!
31. Upload this certificate (.pfx format) as the
Token Signing Certificate in ACS
34. Running this PowerShell script will add
“Azure ACS v2” to the list of Trusted Identity
Providers
Eligible to be added to Claims-based web
applications in Central Administration
36. All claims whose OriginalIssuer is
TrustedProvider:Azure ACS v2
AccessToken is the key to all user data
37. https://github.com/facebook/csharp-sdk
Encapsulates calls to the Facebook Graph API
https://developers.facebook.com/docs/reference/
api/
Retrieve data about the user and his/her friends
Upload photos/videos, post status messages
Data returned from Facebook in JSON format
Requests to https://graph.facebook.com/...
▪ me/feed, me/friends, me/photos, me/videos
Deprecated, no longer supported
38. SharePoint maintains its own certificate store
where separate trusts must be configured
http://dannyjessee.com/blog/index.php/2011/
12/required-trust-relationships-for-the-
facebook-c-sdk-in-sharepoint-2010/
Need to upload two certificates into
SharePoint (CA > Security > Manage Trust):
DigiCert High Assurance EV Root CA
DigiCert High Assurance CA-3
40. Code snippets in these slides are not
complete
Do not include proper error checking/handling
Do not include RunWithElevatedPrivileges()
delegates where appropriate
Please download the code
Do not copy and paste from these slides
I will Tweet the link and update this slide deck to
include it
41. Returned in a claim from Facebook
A new AccessToken is issued each login
Our key to all of the data about the logged in user
Required for all calls to the Facebook Graph API
Two hour lifetime by default
To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag
web.AllProperties[“fbAccessToken_{loginname}”]
AllProperties required for case sensitivity
42. Changing to
Initial display name for the SPUser is in Claims-
encoded format (more on this later)
Want to make this more user-friendly
if (SPContext.Current.Web.CurrentUser == null)
{
SPUser user = web.EnsureUser("i:" + claimsIdentity.Name);
currentUser.Name = givenName;
currentUser.Update();
}
43. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
JsonObject location = me["location"] as JsonObject;
myLocation = (string)location["name"];
myLocation is in City, State format
Parsed and sent to Weather Underground API
http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/
[city].json
44. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
SPList lstContacts = web.Lists["Contacts"];
SPListItem item = lstContacts.Items.Add();
item["First Name"] = (string)me["first_name"];
item["Last Name"] = (string)me["last_name"];
JsonArray work = me["work"] as JsonArray;
// Most recent/current employer stored in work[0]
JsonObject company = work[0] as JsonObject;
JsonObject employer = company["employer"] as JsonObject;
JsonObject position = company["position"] as JsonObject;
item["Company"] = (string)employer["name"];
item["Job Title"] = (string)position["name"];
item.SystemUpdate();
45. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)
client.Get("me/friends?fields=name,birthday");
JsonArray friendData = me["data"] as JsonArray;
foreach (JsonObject friend in friendData)
{
if (friend.ContainsKey("birthday"))
{
/* Some users share MM/DD of birthday, others share
MM/DD/YYYY
We only care about MM/DD for our purposes, and
Facebook always pads with leading zeros */
string birthday = (string)friend["birthday"];
birthMonth = int.Parse(birthday.Substring(0, 2));
birthDate = int.Parse(birthday.Substring(3, 2));
...
47. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object>();
dict.Add("message", "I just posted this from
SharePoint!");
dict.Add("link", "http://sugdc.org/");
dict.Add("picture",
"http://sugdc.org/Portals/0/sugdcTitle4.jpg");
dict.Add("name", "SUGDC Home Page");
dict.Add("caption", "February 9, 2012");
dict.Add("description", "Come see my presentation about
Claims-Based Identity in SharePoint 2010 at SUGDC!");
client.PostAsync("me/feed", dict);
48. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "title", "I know how to post videos to
Facebook...from SharePoint!" },
{ "description", "See more at SUGDC Feb. 9, 2012!" },
{ "vid1", new FacebookMediaObject { ContentType =
"video/x-flv", FileName = "facebook.flv"
}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }
};
client.PostAsync("me/videos", dict);
49. Silverlight application courtesy MossLover
Interfaces with the user’s webcam, saves
captured images to document library
50. Added event handler to upload to Facebook
string contentType = "image/jpeg";
var client = new Facebook.FacebookClient(fbAccessToken);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "message", "Uploaded picture from Silverlight webcam
image capture in SharePoint!" },
{ "pic1", new FacebookMediaObject { ContentType =
contentType, FileName = properties.ListItem.File.Name
}.SetValue(properties.ListItem.File.OpenBinary()) }
};
client.PostAsync("me/photos", dict);
51.
52.
53.
54. General issues for all Claims implementations
Search crawler requires NTLM in the zone it uses
“People picker” is more of a Claims “expression
editor”
▪ Custom code opportunity
User Profiles
▪ LDAP or BCS connection to authentication store
Office client integration (2007 SP2+, 2010)
▪ IE 8+: Trusted Sites
No document previews with FAST Search
55. “After migrating to Claims in
SharePoint 2010, most of our users
were able to log in some of the time.”
—A less-than-thrilled system administrator
56. Migration from MOSS to SharePoint 2010
Migrate FBA Users
▪ $wa = get-SPWebApplication $WebAppName
▪ $wa.MigrateUsers($true)
Portalsuperuser and Portalsuperreader properties
need to be updated to reflect Claims-encoded format
▪ $wa.Properties["portalsuperuseraccount"] =
"i:0#.w|domainapppool"
▪ $wa.Properties["portalsuperreaderaccount"] =
"i:0#.w|domainapppool"
▪ $wa.Update()
Must migrate all providers from MOSS to 2010
▪ i.e., NTLM and FBA if both existed prior to migration
58. Set DisplayName property of SPUser
$user = Get-SPUser -Web http://abc.shrpnt.loc
-Identity
"i:0#.f|CustomMembershipProvider|username"
$user.DisplayName = "John Doe"
$user.Update()
Can also be done via SharePoint object model
59. Session expiration issues with SAML Claims
Users can come back to the page hours later
without having to log in again
SharePoint creates a FedAuth cookie (written to
disk) that is not a Session cookie by default
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.UseSessionCookies = $true
▪ $sts.Update()
60. Continuous redirection to/from login page
This can happen when the TokenLifetime is less
than the LogonTokenCacheExpirationWindow
▪ Default LogonTokenCacheExpirationWindow in
SharePoint 2010 STS is 10 minutes
▪ Default Token Lifetime in Azure ACS is also 10 minutes
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 1)
▪ $sts.Update()
61. Go to the login page, enter valid credentials,
press the “Log In” button, and…get
redirected back to the login page (once)
Check the ULS logs!
▪ Could be token expiration timeout
▪ Could be something else
62. SPSecurityTokenService.Issue() failed:
System.Runtime.InteropServices.
COMException (0x800703FA): Retrieving the
COM class factory for component with CLSID
{BDEADF26-C265-11D0-BCED-00A0C90AB50F}
failed due to the following error: 800703FA.
GPEdit: Computer Configuration > Administrative
Templates > System > User Profiles
▪ Do not forcefully unload the users registry at user logoff
> Set to “Enabled”
63.
64. Stick with Classic Mode Authentication if you
are deploying SharePoint into a “simple”
Active Directory environment
Particularly if strict security controls are in place
that are beyond your control
Especially if you are only migrating from Windows
authentication in MOSS
Once you go to Claims, you can’t go back!
65. If you must use Claims for your Extranet,
try to minimize the number of zones/host
headers used
Default zone should be most secure
Have a good “troubleshooter’s toolbox”
ULS Log Viewer
Fiddler
Claims Viewer web part
66.
67. Shane Young – my hero!
http://sharepoint911.com
Plan Authentication Methods
(SharePoint Server 2010)
http://technet.microsoft.com/en-
us/library/cc262350.aspx
A Guide to Claims-Based Identity and Access
Control (Microsoft Patterns and Practices)
http://claimsid.codeplex.com/
68. Writing Claims Providers for SharePoint 2010
http://msdn.microsoft.com/en-
us/library/ff699494.aspx
Implementing Claims-Based Authentication
with SharePoint Server 2010
http://www.microsoft.com/download/en/details.a
spx?id=27569
70. Steve Peschka
http://blogs.technet.com/b/speschka/archive/201
0/06/12/migrating-a-web-application-from-
windows-classic-to-windows-claims-in-
sharepoint-2010.aspx
http://msdn.microsoft.com/en-
us/library/hh147183.aspx
Project Server Blog (GREAT tips for migrating
to Claims here!!!)
http://nearbaseline.com.au/blog/tag/claims/
71. SelfSTS and Vittorio Bertocci
http://archive.msdn.microsoft.com/SelfSTS
http://blogs.msdn.com/b/vbertocci/archive/2010/0
8/23/selfsts-when-you-need-a-saml-token-now-
right-now.aspx
Paul Schaeflein
http://www.schaeflein.net/blog/Lists/Posts/Post.a
spx?ID=4
Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
WS-Trust: how to request and receive security tokensWS-Federation: architecture for cleanseparation between trust mechanisms, security tokens formats, and the protocols for obtaining tokensSAML: XML vocabulary used to represent claims in an interoperable way
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
As you plan custom claims providers for use with People Picker in your SharePoint solution, consider the following questions:What will be the source of the values for the users and roles that will be displayed in People Picker query results?What claim data do you want to resolve in the Select People and Groups dialog box?You don’t necessarily need to go through the API or PowerShell, if you have a connection to an LDAP store or a BCS connection to your auth store. You can also map the properties yourself and leave it to the User Profile Synchronization service. That being said, if you’re dependent on BCS then you’ll also need to have SharePoint Enterprise Server license which isn’t available to all customers.Once you’re done you should be able to visit any of the users in your site collection and see their “Name” property set to something that is less likely to confuse your user base. Once the value is set, it helps to make sure that it doesn’t get stomped with any User Profile Synchronization (UPS) that may be in place in your farm.
So basically the ticket was issued by ACS/upstream identity provider for 10 minutes, SharePoint checks it a millisecond later and says, wall this ticket expires in less time that my expiration window, so go get a new ticket from ACS.