More Related Content

Similar to ESPC15 - Extending Authentication and Authorization(20)


ESPC15 - Extending Authentication and Authorization

  1. Extending Authentication and Authorization Edin Kapić
  2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : Twitter : @ekapic LinkedIn : edinkapic
  3. Agenda • SharePoint, Authentication and Authorization • Claims • Claims-based Authentication • Claims-based Authorization • Claims Augmentation and Transformation • Claims Providers • Federated Authentication
  4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization
  5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
  6. SharePoint Authorization • Associated with principals • Authenticated users • Groups (SharePoint or AD) • Claims • App Add-in identities
  7. SharePoint 2013 Authentication Options • “Classic” Windows • Deprecated • Claims-based • Windows tokens • FBA • SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
  8. App Add-In Authentication • Add-ins have identity and can be assigned permissions • Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate • Low-trust add-ins use 3-legged OAuth (with ACS broker) • High-trust add-ins use self-signed tokens
  9. Claims • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples • Employee badge • Name, department, clearance • Boarding passes • Flight, seat, class, name • Paper Wristbands • Ticket type, extra services
  10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
  11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer /ws/2005/05/identity/claim s/nameidentifier demoekapic SharePoint SharePoint /ws/2008/06/identity/claim s/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows /ws/2005/05identity/claims /upn ekapic@demo.local SharePoint Windows m/sharepoint/2009/08/clai ms/userid 0#.w|demoekapic SharePoint SecurityTokenService
  12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
  13. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
  14. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class
  15. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
  16. DEMO Custom Claim Provider
  17. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed
  18. Federated Authentication • ID cards or passports are real-world examples of federated authentication
  19. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
  20. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
  21. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
  22. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
  23. DEMO Federated Authentication with ADFS
  24. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
  25. Further Reading • Steve Peschka’s blog • Kirk Evans’ blog • A Guide to Claims-Identity and Access Control
  26. Thank you! Tack så mycket!

Editor's Notes

  1. In the two latest versions of SharePoint, we have seen how Claims-based authentication have taken over the traditional Windows and FBA authentication. Now we have federated identity with services such as Active Directory Federation Services (ADFS) and Azure Active Directory (AAD) and the authorization is handled by OAuth in the app model. But still, the vast majority of the deployments still use plain vanilla AD or LDAP authentication, without exploiting its flexibility and adaptability to a variety of scenarios. In this session you will learn how to extend the authentication and authorization with custom claim providers, claim augmentation and transformation. In this session you will: - Acquaint yourself with the authorization/authentication mechanism in SharePoint/Office 365 - Learn how to extend and adapt the authentication/authorization to fit your needs - Get to know the benefits of using ADFS for identity federation