Extending Authentication and
Authorization
Edin Kapić

Edin Kapić
• SharePoint Senior Architect &
Team Lead in Sogeti,
Barcelona
• President of SharePoint User
Group Catalonia (SUG.CAT)
• Writer at Pluralsight
• SharePoint Server Office
Servers and Services MVP
• Tinker & geek
Email : mail@edinkapic.com
Twitter : @ekapic
LinkedIn : edinkapic

Agenda
• SharePoint, Authentication and Authorization
• Claims
• Claims-based Authentication
• Claims-based Authorization
• Claims Augmentation and Transformation
• Claims Providers
• Federated Authentication

SharePoint, Authentication & Authorization
SharePoint Web App
Authentication
Provider
SPUser
Site Collection
Site
SPRoleAssignment
Authentication
Authorization

SharePoint Authentication
• SharePoint doesn’t authenticate by
itself
• It keeps user details in the user
profile database and user
information lists in each site
collection

SharePoint Authorization
• Associated with principals
• Authenticated users
• Groups (SharePoint or AD)
• Claims
• App Add-in identities

SharePoint 2013 Authentication Options
• “Classic” Windows
• Deprecated
• Claims-based
• Windows tokens
• FBA
• SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser

App Add-In Authentication
• Add-ins have identity and can be assigned permissions
• Add-ins are principals, together with users and groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate
• Low-trust add-ins use 3-legged OAuth (with ACS broker)
• High-trust add-ins use self-signed tokens

Claims
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting credentials to a claims provider
• Claims providers are trusted
• Examples
• Employee badge
• Name, department, clearance
• Boarding passes
• Flight, seat, class, name
• Paper Wristbands
• Ticket type, extra services

Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea

SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.org
/ws/2005/05/identity/claim
s/nameidentifier
demoekapic SharePoint SharePoint
http://schemas.xmlsoap.org
/ws/2008/06/identity/claim
s/primarysid
S-1-5-21-4067827123-
213488314-8760374-
513
SharePoint Windows
http://schemas.xmlsoap.org
/ws/2005/05identity/claims
/upn
ekapic@demo.local SharePoint Windows
http://schemas.microsoft.co
m/sharepoint/2009/08/clai
ms/userid
0#.w|demoekapic SharePoint SecurityTokenService

Claims Authentication
• SharePoint augments and transforms the incoming claims to a
normalized claims identity
• Can be done by more than one claims provider
• Decouples the authentication method from the user identity
• For Windows incoming claims, there is a C2WTS (Claims to Windows
Token Service) inside SharePoint 2013 to allow converting claims back
into Windows identities

Claims Authorization
• Any claim can be used as a
security principal in SharePoint
• Flexible alternative to security
groups
• Claims can be surfaced by the
identity token service or custom
claims provider in People Picker

Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class

Claims Augmentation and Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
SupportsEntityInformation
Claims surfacing in People Picker FillSchema
FillClaimTypes
FillClaimValueTypes
FillEntityTypes
Claims hierarchy in People Picker left side FillHierarchy
SupportsHierarchy
Resolving typed claims in People Picker FillResolve
SupportsResolve
Searching for claims in People Picker FillSearch
SupportsSearch

DEMO
Custom Claim Provider

Federated Authentication
• When the identity provider (IdP) is distinct from Windows (or FBA),
we have federated authentication
• Third-party Secure Token Service (STS) issues a security token with
claims
• This token is trusted by “clients” (Relying Parties, RP) as the STS is
trusted by them
• Tokens are digitally signed

Federated Authentication
• ID cards or passports are
real-world examples of
federated authentication

Federated Identity Providers
• Microsoft Active Directory Federation
Services (ADFS)
• Microsoft Azure Active Directory
• Thinktecture IdentityServer
• Shibboleth
• IBM Federated Identity Manager
• ...

Active Directory Federation Services (ADFS)
• Part of Windows Server
features
• Can transform AD into a
federated IdP
• Doesn’t manage users
directly, but claims,
identity providers and
relying parties

Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365 offering
• Underpins the most of the Office
365 / Azure hybrid architectures

Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity Framework
• Modular architecture

DEMO
Federated Authentication with
ADFS

Summary
• Claims-based identity and authorization are the only way forward, so
make sure that you understand them well
• You can decouple user authentication from the user identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else

Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control
https://msdn.microsoft.com/en-us/library/ff423674.aspx

Thank you!
Tack så mycket!