Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Extending Authentication and
Authorization
Edin Kapić
Edin Kapić
• SharePoint Senior Architect &
Team Lead in Sogeti,
Barcelona
• President of SharePoint User
Group Catalonia (...
Agenda
• SharePoint, Authentication and Authorization
• Claims
• Claims-based Authentication
• Claims-based Authorization
...
SharePoint, Authentication & Authorization
SharePoint Web App
Authentication
Provider
SPUser
Site Collection
Site
SPRoleAs...
SharePoint Authentication
• SharePoint doesn’t authenticate by
itself
• It keeps user details in the user
profile database...
SharePoint Authorization
• Associated with principals
• Authenticated users
• Groups (SharePoint or AD)
• Claims
• App Add...
SharePoint 2013 Authentication Options
• “Classic” Windows
• Deprecated
• Claims-based
• Windows tokens
• FBA
• SAML 1.1
W...
App Add-In Authentication
• Add-ins have identity and can be assigned permissions
• Add-ins are principals, together with ...
Claims
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting credentials ...
Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea
SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.org
/ws/2005/05/identity/claim
s/na...
Claims Authentication
• SharePoint augments and transforms the incoming claims to a
normalized claims identity
• Can be do...
Claims Authorization
• Any claim can be used as a
security principal in SharePoint
• Flexible alternative to security
grou...
Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provide...
Claims Augmentation and Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
Suppor...
DEMO
Custom Claim Provider
Federated Authentication
• When the identity provider (IdP) is distinct from Windows (or FBA),
we have federated authentic...
Federated Authentication
• ID cards or passports are
real-world examples of
federated authentication
Federated Identity Providers
• Microsoft Active Directory Federation
Services (ADFS)
• Microsoft Azure Active Directory
• ...
Active Directory Federation Services (ADFS)
• Part of Windows Server
features
• Can transform AD into a
federated IdP
• Do...
Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365 offering
• Underpins the most of th...
Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity Framework
• Modular architecture
DEMO
Federated Authentication with
ADFS
Summary
• Claims-based identity and authorization are the only way forward, so
make sure that you understand them well
• Y...
Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
•...
Thank you!
Tack så mycket!
Upcoming SlideShare
Loading in …5
×

ESPC15 - Extending Authentication and Authorization

3,309 views

Published on

My talk from European SharePoint Conference 2015 in Stockholm about how to extend SharePoint authentication and authorization using federated authentication and custom claim providers.

Published in: Software
  • Be the first to comment

  • Be the first to like this

ESPC15 - Extending Authentication and Authorization

  1. 1. Extending Authentication and Authorization Edin Kapić
  2. 2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
  3. 3. Agenda • SharePoint, Authentication and Authorization • Claims • Claims-based Authentication • Claims-based Authorization • Claims Augmentation and Transformation • Claims Providers • Federated Authentication
  4. 4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization
  5. 5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
  6. 6. SharePoint Authorization • Associated with principals • Authenticated users • Groups (SharePoint or AD) • Claims • App Add-in identities
  7. 7. SharePoint 2013 Authentication Options • “Classic” Windows • Deprecated • Claims-based • Windows tokens • FBA • SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
  8. 8. App Add-In Authentication • Add-ins have identity and can be assigned permissions • Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate • Low-trust add-ins use 3-legged OAuth (with ACS broker) • High-trust add-ins use self-signed tokens
  9. 9. Claims • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples • Employee badge • Name, department, clearance • Boarding passes • Flight, seat, class, name • Paper Wristbands • Ticket type, extra services
  10. 10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
  11. 11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.org /ws/2005/05/identity/claim s/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.org /ws/2008/06/identity/claim s/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.org /ws/2005/05identity/claims /upn ekapic@demo.local SharePoint Windows http://schemas.microsoft.co m/sharepoint/2009/08/clai ms/userid 0#.w|demoekapic SharePoint SecurityTokenService
  12. 12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
  13. 13. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
  14. 14. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class
  15. 15. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
  16. 16. DEMO Custom Claim Provider
  17. 17. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed
  18. 18. Federated Authentication • ID cards or passports are real-world examples of federated authentication
  19. 19. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
  20. 20. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
  21. 21. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
  22. 22. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
  23. 23. DEMO Federated Authentication with ADFS
  24. 24. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
  25. 25. Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en-us/library/ff423674.aspx
  26. 26. Thank you! Tack så mycket!

×