SlideShare a Scribd company logo
1 of 31
Download to read offline
Silber-Partner: Veranstalter:
Extending Authentication and
Authorization
Edin Kapić
Edin Kapić
• SharePoint Senior
Architect & Team Lead
in Sogeti, Barcelona
• President of SharePoint
User Group Catalonia
(SUG.CAT)
• Writer at Pluralsight
• SharePoint Server Office
Servers and Services
MVP
• Tinker & geek
Email : mail@edinkapic.com
Twitter : @ekapic
LinkedIn : edinkapic
Agenda
• SharePoint, Authentication and Authorization
• Claims
– Claims-based Authentication
– Claims-based Authorization
– Claims Augmentation and Transformation
– Claims Providers
• Federated Authentication
SharePoint, Authentication &
Authorization
SharePoint Web App
Authentication
Provider
SPUser
Site Collection
Site
SPRoleAssignment
Authentication
Authorization
Authentifizierung
Autorisierung
SharePoint Authentication
• SharePoint doesn’t
authenticate by itself
• It keeps user details in the
user profile database and
user information lists in each
site collection
SharePoint Authorization
• Associated with principals
– Authenticated users
– Groups (SharePoint or AD)
– Claims
– App Add-in identities
SharePoint 2013 Authentication
Options
• “Classic” Windows
– Deprecated
• Claims-based
– Windows tokens
– FBA
– SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser
App Add-In Authentication
• Add-ins have identity and can be assigned permissions
– Add-ins are principals, together with users and groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate
– Low-trust add-ins use 3-legged OAuth (with ACS broker)
– High-trust add-ins use self-signed tokens
Claims (Ansprüche)
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting credentials to a claims
provider
• Claims providers are trusted
• Examples
– Employee badge
• Name, department, clearance
– Boarding passes
• Flight, seat, class, name
– Paper Wristbands
• Ticket type, extra services
Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea
SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.o
rg/ws/2005/05/identity/cl
aims/nameidentifier
demoekapic SharePoint SharePoint
http://schemas.xmlsoap.o
rg/ws/2008/06/identity/cl
aims/primarysid
S-1-5-21-4067827123-
213488314-8760374-
513
SharePoint Windows
http://schemas.xmlsoap.o
rg/ws/2005/05identity/cla
ims/upn
ekapic@demo.local SharePoint Windows
http://schemas.microsoft.
com/sharepoint/2009/08/
claims/userid
0#.w|demoekapic SharePoint SecurityTokenService
Claims Authentication
• SharePoint augments and transforms the incoming
claims to a normalized claims identity
• Can be done by more than one claims provider
• Decouples the authentication method from the user
identity
• For Windows incoming claims, there is a C2WTS
(Claims to Windows Token Service) inside SharePoint
2013 to allow converting claims back into Windows
identities
Claims Format
Claim Claim Parts
i:0#.w|spdemoedin • •“i” for an identity claim
• •“#” for the user logon name format for the claim
value
• •“.” for a string
• •“w” for Windows claims
• •“spdemoedin” for the identity claim value (the
Windows account name)
i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim
• •“e” for the UPN property of the claim value
• •“.” for a string
• •“t” for a trusted issuer
• •“adfs” identifies the original issuer of the identity
claim
• •“edin@spdemo.local” for the identity claim value
http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx
<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>
|<OriginalIssuer (optional)>
|<ClaimValue>
Claims Authorization
• Any claim can be used as
a security principal in
SharePoint
• Flexible alternative to
security groups
• Claims can be surfaced
by the identity token
service or custom claims
provider in People Picker
Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class
• But, take care about thread safety:
http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom-
claims-providers.aspx
Claims Augmentation and
Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
SupportsEntityInformation
Claims surfacing in People Picker FillSchema
FillClaimTypes
FillClaimValueTypes
FillEntityTypes
Claims hierarchy in People Picker left side FillHierarchy
SupportsHierarchy
Resolving typed claims in People Picker FillResolve
SupportsResolve
Searching for claims in People Picker FillSearch
SupportsSearch
DEMO
Custom Claim Provider
Federated Authentication
• When the identity provider (IdP) is distinct from
Windows (or FBA), we have federated authentication
• Third-party Secure Token Service (STS) issues a security
token with claims
• This token is trusted by “clients” (Relying Parties, RP) as
the STS is trusted by them
• Tokens are digitally signed to prevent tampering
Federated Authentication
• ID cards or
passports are real-
world examples of
federated
authentication
Federated Identity Providers
• Microsoft Active Directory
Federation Services (ADFS)
• Microsoft Azure Active
Directory
• Thinktecture IdentityServer
• Shibboleth
• IBM Federated Identity
Manager
• ...
Active Directory Federation
Services (ADFS)
• Part of Windows
Server features
• Can transform AD
into a federated IdP
• Doesn’t manage
users directly, but
claims, identity
providers and relying
parties
Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365
offering
• Underpins the most of the
Office 365 / Azure hybrid
architectures
Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity
Framework
• Modular architecture
DEMO
Federated Authentication with
ADFS
Summary
• Claims-based identity and authorization are the only
way forward, so make sure that you understand them
well
• You can decouple user authentication from the user
identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else
Additional Tools
• LDAP/AD Claims Provider
– Surfaces users from ADFS / AD into claims-enabled People Picker
• https://ldapcp.codeplex.com/
Additional Tools
• SharePoint Identity Service
– Service application for SharePoint
• https://spidentityservice.codeplex.com/
Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control
https://msdn.microsoft.com/en-
us/library/ff423674.aspx
FRAGEN?
Ich freue mich auf Ihr Feedback!
Silber-Partner: Veranstalter:
Vielen Dank!
Edin Kapić

More Related Content

What's hot

The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010Spencer Harbar
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Chris Gillum
 
SharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSPC Adriatics
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CJohn Garland
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsJames Tramel
 
DevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easyDevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easySjoukje Zaal
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BSjoukje Zaal
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalNCCOMMS
 
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easyIntelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easySjoukje Zaal
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittalManoj Mittal
 
Identity Management in SharePoint 2013
Identity Management in SharePoint 2013Identity Management in SharePoint 2013
Identity Management in SharePoint 2013SPC Adriatics
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
Azure Saturday: External Collaboration With Azure AD B2B
Azure Saturday:  External Collaboration With Azure AD B2BAzure Saturday:  External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2BSjoukje Zaal
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 

What's hot (19)

The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
 
SharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSharePoint 2013 APIs demystified
SharePoint 2013 APIs demystified
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2C
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
 
DevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easyDevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easy
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
 
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easyIntelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easy
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
Identity Management in SharePoint 2013
Identity Management in SharePoint 2013Identity Management in SharePoint 2013
Identity Management in SharePoint 2013
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
Azure B2C
Azure B2CAzure B2C
Azure B2C
 
Azure Saturday: External Collaboration With Azure AD B2B
Azure Saturday:  External Collaboration With Azure AD B2BAzure Saturday:  External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2B
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 

Similar to Extending Authentication and Authorization

ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationEdin Kapic
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision IT
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraMorgan Simonsen
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?Liam Cleary [MVP]
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision IT
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...Brian Culver
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft 365 Developer
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision IT
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CJoonas Westlin
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenNCCOMMS
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Jonathan Schultz
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
Spsbe15 high-trust apps for on-premises development
Spsbe15   high-trust apps for on-premises developmentSpsbe15   high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentBIWUG
 
Wso2 is integration with .net core
Wso2 is   integration with .net coreWso2 is   integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...Fwdays
 

Similar to Extending Authentication and Authorization (20)

ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and Authorization
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
Spsbe15 high-trust apps for on-premises development
Spsbe15   high-trust apps for on-premises developmentSpsbe15   high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devs
 
Wso2 is integration with .net core
Wso2 is   integration with .net coreWso2 is   integration with .net core
Wso2 is integration with .net core
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
 

More from Edin Kapic

Rx la joya oculta de Net
Rx la joya oculta de NetRx la joya oculta de Net
Rx la joya oculta de NetEdin Kapic
 
Personal Branding for Developers
Personal Branding for DevelopersPersonal Branding for Developers
Personal Branding for DevelopersEdin Kapic
 
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...Edin Kapic
 
ESPC14 Social Business Value Demystified
ESPC14 Social Business Value DemystifiedESPC14 Social Business Value Demystified
ESPC14 Social Business Value DemystifiedEdin Kapic
 
Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014Edin Kapic
 
MVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human BehaviourMVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human BehaviourEdin Kapic
 
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 AppSPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 AppEdin Kapic
 
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 AppEdin Kapic
 
Social Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World ExperiencesSocial Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World ExperiencesEdin Kapic
 
BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!Edin Kapic
 
BcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMSBcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMSEdin Kapic
 
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitectoBcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitectoEdin Kapic
 
Modelos de madurez de SharePoint
Modelos de madurez de SharePointModelos de madurez de SharePoint
Modelos de madurez de SharePointEdin Kapic
 
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)Edin Kapic
 
SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012Edin Kapic
 
JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#Edin Kapic
 
CatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePointCatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePointEdin Kapic
 
Universidad de La Habana - SharePoint, Listas y XSLT
Universidad de La Habana  - SharePoint, Listas y XSLTUniversidad de La Habana  - SharePoint, Listas y XSLT
Universidad de La Habana - SharePoint, Listas y XSLTEdin Kapic
 
SharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developereSharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developereEdin Kapic
 

More from Edin Kapic (19)

Rx la joya oculta de Net
Rx la joya oculta de NetRx la joya oculta de Net
Rx la joya oculta de Net
 
Personal Branding for Developers
Personal Branding for DevelopersPersonal Branding for Developers
Personal Branding for Developers
 
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
 
ESPC14 Social Business Value Demystified
ESPC14 Social Business Value DemystifiedESPC14 Social Business Value Demystified
ESPC14 Social Business Value Demystified
 
Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014
 
MVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human BehaviourMVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human Behaviour
 
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 AppSPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
 
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
 
Social Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World ExperiencesSocial Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World Experiences
 
BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!
 
BcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMSBcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMS
 
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitectoBcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
 
Modelos de madurez de SharePoint
Modelos de madurez de SharePointModelos de madurez de SharePoint
Modelos de madurez de SharePoint
 
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
 
SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012
 
JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#
 
CatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePointCatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePoint
 
Universidad de La Habana - SharePoint, Listas y XSLT
Universidad de La Habana  - SharePoint, Listas y XSLTUniversidad de La Habana  - SharePoint, Listas y XSLT
Universidad de La Habana - SharePoint, Listas y XSLT
 
SharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developereSharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developere
 

Recently uploaded

Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 

Recently uploaded (20)

Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 

Extending Authentication and Authorization

  • 2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
  • 3. Agenda • SharePoint, Authentication and Authorization • Claims – Claims-based Authentication – Claims-based Authorization – Claims Augmentation and Transformation – Claims Providers • Federated Authentication
  • 4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization Authentifizierung Autorisierung
  • 5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
  • 6. SharePoint Authorization • Associated with principals – Authenticated users – Groups (SharePoint or AD) – Claims – App Add-in identities
  • 7. SharePoint 2013 Authentication Options • “Classic” Windows – Deprecated • Claims-based – Windows tokens – FBA – SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
  • 8. App Add-In Authentication • Add-ins have identity and can be assigned permissions – Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate – Low-trust add-ins use 3-legged OAuth (with ACS broker) – High-trust add-ins use self-signed tokens
  • 9. Claims (Ansprüche) • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples – Employee badge • Name, department, clearance – Boarding passes • Flight, seat, class, name – Paper Wristbands • Ticket type, extra services
  • 10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
  • 11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.o rg/ws/2005/05/identity/cl aims/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.o rg/ws/2008/06/identity/cl aims/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.o rg/ws/2005/05identity/cla ims/upn ekapic@demo.local SharePoint Windows http://schemas.microsoft. com/sharepoint/2009/08/ claims/userid 0#.w|demoekapic SharePoint SecurityTokenService
  • 12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
  • 13. Claims Format Claim Claim Parts i:0#.w|spdemoedin • •“i” for an identity claim • •“#” for the user logon name format for the claim value • •“.” for a string • •“w” for Windows claims • •“spdemoedin” for the identity claim value (the Windows account name) i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim • •“e” for the UPN property of the claim value • •“.” for a string • •“t” for a trusted issuer • •“adfs” identifies the original issuer of the identity claim • •“edin@spdemo.local” for the identity claim value http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx <IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode> |<OriginalIssuer (optional)> |<ClaimValue>
  • 14. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
  • 15. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class • But, take care about thread safety: http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom- claims-providers.aspx
  • 16. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
  • 18. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed to prevent tampering
  • 19. Federated Authentication • ID cards or passports are real- world examples of federated authentication
  • 20. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
  • 21. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
  • 22. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
  • 23. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
  • 25. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
  • 26. Additional Tools • LDAP/AD Claims Provider – Surfaces users from ADFS / AD into claims-enabled People Picker • https://ldapcp.codeplex.com/
  • 27. Additional Tools • SharePoint Identity Service – Service application for SharePoint • https://spidentityservice.codeplex.com/
  • 28. Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en- us/library/ff423674.aspx
  • 30. Ich freue mich auf Ihr Feedback!