Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Silber-Partner: Veranstalter:
Extending Authentication and
Authorization
Edin Kapić
Edin Kapić
• SharePoint Senior
Architect & Team Lead
in Sogeti, Barcelona
• President of SharePoint
User Group Catalonia
(...
Agenda
• SharePoint, Authentication and Authorization
• Claims
– Claims-based Authentication
– Claims-based Authorization
...
SharePoint, Authentication &
Authorization
SharePoint Web App
Authentication
Provider
SPUser
Site Collection
Site
SPRoleAs...
SharePoint Authentication
• SharePoint doesn’t
authenticate by itself
• It keeps user details in the
user profile database...
SharePoint Authorization
• Associated with principals
– Authenticated users
– Groups (SharePoint or AD)
– Claims
– App Add...
SharePoint 2013 Authentication
Options
• “Classic” Windows
– Deprecated
• Claims-based
– Windows tokens
– FBA
– SAML 1.1
W...
App Add-In Authentication
• Add-ins have identity and can be assigned permissions
– Add-ins are principals, together with ...
Claims (Ansprüche)
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting ...
Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea
SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.o
rg/ws/2005/05/identity/cl
aims/na...
Claims Authentication
• SharePoint augments and transforms the incoming
claims to a normalized claims identity
• Can be do...
Claims Format
Claim Claim Parts
i:0#.w|spdemoedin • •“i” for an identity claim
• •“#” for the user logon name format for t...
Claims Authorization
• Any claim can be used as
a security principal in
SharePoint
• Flexible alternative to
security grou...
Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provide...
Claims Augmentation and
Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
Suppor...
DEMO
Custom Claim Provider
Federated Authentication
• When the identity provider (IdP) is distinct from
Windows (or FBA), we have federated authentic...
Federated Authentication
• ID cards or
passports are real-
world examples of
federated
authentication
Federated Identity Providers
• Microsoft Active Directory
Federation Services (ADFS)
• Microsoft Azure Active
Directory
• ...
Active Directory Federation
Services (ADFS)
• Part of Windows
Server features
• Can transform AD
into a federated IdP
• Do...
Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365
offering
• Underpins the most of th...
Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity
Framework
• Modular architecture
DEMO
Federated Authentication with
ADFS
Summary
• Claims-based identity and authorization are the only
way forward, so make sure that you understand them
well
• Y...
Additional Tools
• LDAP/AD Claims Provider
– Surfaces users from ADFS / AD into claims-enabled People Picker
• https://lda...
Additional Tools
• SharePoint Identity Service
– Service application for SharePoint
• https://spidentityservice.codeplex.c...
Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
•...
FRAGEN?
Ich freue mich auf Ihr Feedback!
Silber-Partner: Veranstalter:
Vielen Dank!
Edin Kapić
Upcoming SlideShare
Loading in …5
×

Extending Authentication and Authorization

2,941 views

Published on

Slides from my talk at SharePoint Konferenz 2016

Published in: Technology
  • Be the first to comment

Extending Authentication and Authorization

  1. 1. Silber-Partner: Veranstalter: Extending Authentication and Authorization Edin Kapić
  2. 2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
  3. 3. Agenda • SharePoint, Authentication and Authorization • Claims – Claims-based Authentication – Claims-based Authorization – Claims Augmentation and Transformation – Claims Providers • Federated Authentication
  4. 4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization Authentifizierung Autorisierung
  5. 5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
  6. 6. SharePoint Authorization • Associated with principals – Authenticated users – Groups (SharePoint or AD) – Claims – App Add-in identities
  7. 7. SharePoint 2013 Authentication Options • “Classic” Windows – Deprecated • Claims-based – Windows tokens – FBA – SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
  8. 8. App Add-In Authentication • Add-ins have identity and can be assigned permissions – Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate – Low-trust add-ins use 3-legged OAuth (with ACS broker) – High-trust add-ins use self-signed tokens
  9. 9. Claims (Ansprüche) • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples – Employee badge • Name, department, clearance – Boarding passes • Flight, seat, class, name – Paper Wristbands • Ticket type, extra services
  10. 10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
  11. 11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.o rg/ws/2005/05/identity/cl aims/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.o rg/ws/2008/06/identity/cl aims/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.o rg/ws/2005/05identity/cla ims/upn ekapic@demo.local SharePoint Windows http://schemas.microsoft. com/sharepoint/2009/08/ claims/userid 0#.w|demoekapic SharePoint SecurityTokenService
  12. 12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
  13. 13. Claims Format Claim Claim Parts i:0#.w|spdemoedin • •“i” for an identity claim • •“#” for the user logon name format for the claim value • •“.” for a string • •“w” for Windows claims • •“spdemoedin” for the identity claim value (the Windows account name) i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim • •“e” for the UPN property of the claim value • •“.” for a string • •“t” for a trusted issuer • •“adfs” identifies the original issuer of the identity claim • •“edin@spdemo.local” for the identity claim value http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx <IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode> |<OriginalIssuer (optional)> |<ClaimValue>
  14. 14. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
  15. 15. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class • But, take care about thread safety: http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom- claims-providers.aspx
  16. 16. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
  17. 17. DEMO Custom Claim Provider
  18. 18. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed to prevent tampering
  19. 19. Federated Authentication • ID cards or passports are real- world examples of federated authentication
  20. 20. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
  21. 21. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
  22. 22. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
  23. 23. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
  24. 24. DEMO Federated Authentication with ADFS
  25. 25. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
  26. 26. Additional Tools • LDAP/AD Claims Provider – Surfaces users from ADFS / AD into claims-enabled People Picker • https://ldapcp.codeplex.com/
  27. 27. Additional Tools • SharePoint Identity Service – Service application for SharePoint • https://spidentityservice.codeplex.com/
  28. 28. Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en- us/library/ff423674.aspx
  29. 29. FRAGEN?
  30. 30. Ich freue mich auf Ihr Feedback!
  31. 31. Silber-Partner: Veranstalter: Vielen Dank! Edin Kapić

×