Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SharePoint, ADFS, ACS and 
Claims-based Authentication 
Kashif Imran 
Kashif_Imran@hotmail.com
Agenda 
• Claims-based Identity Model’s Key Concepts 
• Install and Configure ADFS for SharePoint 2013 
• Configure Azure ...
Claims with SharePoint is sort of 
like a bird, it’s pretty cute until it 
shits on your head.
I drink beer to celebrate major 
events, the fall of communism, 
or the fact that our SharePoint 
and ADFS is still workin...
Identity in Traditional Applications 
• Application 
• Identity Management 
• Account creation 
• Password creation 
• Pas...
Identity in Real World 
• Buy wine/beer example 
• Externalize authentication to DMV 
• Driving license 
• document that i...
Claims-based Identity Model 
• Way for applications to acquire the identity information about internal or external users 
...
Relying Party and STS 
• Relying Party (RP) 
• An application that relies on claims 
• Claims aware application 
• Claims-...
Windows Identity Foundation (WIF) 
• .NET library encapsulating the inner workings of WS-Federation and 
WS-Trust 
• Syste...
ADFS V2: Active Directory Federation Services 
• STS 
• WS*(WS-Trust, WS-SecurityPolicy, WS-Federation, SAML) 
• Claims pr...
SharePoint Authentication 
• Windows (Classic) Authentication: NTLM, Kerberos(Multi hop) 
• Claims Based AuthN 
• Claims o...
SharePoint with ADFS
Federating Identity
The Hub Model
Windows VS Trusted Identity Authentication
Claims Viewer 
IClaimsPrincipal principal = Page.User as IClaimsPrincipal; 
IClaimsIdentity identity = principal.Identity ...
SharePoint Claims
SharePoint Claims Encoding 
• <IdentityClaim> indicates the type of claim and is the following: 
• “i” for an identity cla...
SharePoint Claims Encoding 
Type of claim Encoded claim Claim encoding breakdown 
Windows User i:0#.w|contosokashif •“i” f...
Claims Resolution and Augmentation 
• Inherit a class from 
Microsoft.SharePoint.Administration.Claims.SPClaimsProvider 
•...
ADFS Deployment 
• Single server configuration 
• ADFS 2.0 server farm and load-balancer 
• ADFS 2.0 Proxy server(s) for o...
Install and Configure ADFS V2 
• Install Windows Server 2008 R2 
• Create service account (ssp_adfs) and set SPN 
• Instal...
SharePoint Configuration for ADFS 
• Export and copy public key of token signing certificate from ADFS 
• Generate SSL and...
SharePoint Trusted Identity Token Issuer 
A SharePoint trusted identity token issuer binds together the details of the ide...
Update SharePoint for new ADFS Certificates 
$cert1 = New-Object 
System.Security.Cryptography.X509Certificates.X509Certif...
Azure Access Control Service 
• Build using Claims-based identity principles 
• Support WIF and ADFS V2
Questions 
???
SharePoint, ADFS and Claims Auth
Upcoming SlideShare
Loading in …5
×

SharePoint, ADFS and Claims Auth

2,310 views

Published on

SharePoint, ADFS and Claims Authentication.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SharePoint, ADFS and Claims Auth

  1. 1. SharePoint, ADFS, ACS and Claims-based Authentication Kashif Imran Kashif_Imran@hotmail.com
  2. 2. Agenda • Claims-based Identity Model’s Key Concepts • Install and Configure ADFS for SharePoint 2013 • Configure Azure ACS and SharePoint for SSO using Google etc. • Use ADFS as IP-STS via Azure ACS as RP-STS • Claims Viewer • Custom Claims Provider
  3. 3. Claims with SharePoint is sort of like a bird, it’s pretty cute until it shits on your head.
  4. 4. I drink beer to celebrate major events, the fall of communism, or the fact that our SharePoint and ADFS is still working.
  5. 5. Identity in Traditional Applications • Application • Identity Management • Account creation • Password creation • Password change • Password reset • … • 2 Step Verification • Attribute Store
  6. 6. Identity in Real World • Buy wine/beer example • Externalize authentication to DMV • Driving license • document that is relatively hard to produce/forge • Has additional information about user (age) • International Travel • Passport • Boarding Card
  7. 7. Claims-based Identity Model • Way for applications to acquire the identity information about internal or external users • Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority” • Applications do not need to authenticate users, store user accounts or passwords, etc. • Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just for federation • Claim • Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc. • Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up in some directory • Assert user has logged in • Claims are NOT what a user can or can not do, they are what a user is or is not • Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer • Issuer, Type, Value => (Google, Email, darwaish@gmail.com) • Security Token • Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in) • Successful outcome of sign in • SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
  8. 8. Relying Party and STS • Relying Party (RP) • An application that relies on claims • Claims aware application • Claims-based application • Security Token Service • Service component that builds, signs and issues security tokens • Implicit authN (no token, no party) • WS-Trust, WS-Fed, SAML • IP-STS: • authenticates a client and creates SAML token • Façade for one or more identity stores • RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS) • Transforms token issues by another STS • Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts • Façade for one boundary • Federation Patterns • Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies. • Active: Code to acquire tokens explicitly
  9. 9. Windows Identity Foundation (WIF) • .NET library encapsulating the inner workings of WS-Federation and WS-Trust • System.IdentityModel • System.IdentityModel.Services • IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name) • IClaimsPrincipal = IPrincipal + Identities • IClaimsIdentity = IIdentity + Claims • Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype
  10. 10. ADFS V2: Active Directory Federation Services • STS • WS*(WS-Trust, WS-SecurityPolicy, WS-Federation, SAML) • Claims provider • Federation service for identity across domains • Consumers: SharePoint, Azure ACS, WCF, Others • Federation Metadata: • How do RP know its from STS • What claims • Where is STS • SAML Claims
  11. 11. SharePoint Authentication • Windows (Classic) Authentication: NTLM, Kerberos(Multi hop) • Claims Based AuthN • Claims or Classic in the end you are SPUser • C2WTS(Claims to windows token service)
  12. 12. SharePoint with ADFS
  13. 13. Federating Identity
  14. 14. The Hub Model
  15. 15. Windows VS Trusted Identity Authentication
  16. 16. Claims Viewer IClaimsPrincipal principal = Page.User as IClaimsPrincipal; IClaimsIdentity identity = principal.Identity as IClaimsIdentity; gv.DataSource = identity.Claims; gv.DataBind();
  17. 17. SharePoint Claims
  18. 18. SharePoint Claims Encoding • <IdentityClaim> indicates the type of claim and is the following: • “i” for an identity claim • “c” for any other claim • <ClaimType> indicates the format for the claim value and is the following: • “#” for a user logon name • “.” for an anonymous user • “5” for an email address • “!” for an identity provider • “+” for a Group security identifier (SID) • “-“ for a role • “%” for a farm ID • “?” for a name identifier • "" for a private personal identifier (PPID) • <ClaimValueType> indicates the type of formatting for the claim value and is the following: • “.” for a string • “+” for an RFC 822-formatted name • <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following: • “w” for Windows claims (no original issuer) • “s” for the local SharePoint security token service (STS) (no original issuer) • “t” for a trusted issuer • “m” for a membership issuer • “r” for a role provider issuer • “f” for forms-based authentication • “c” for a claim provider • <OriginalIssuer> indicates the original issuer of the claim. • <ClaimValueType> indicates the value of the claim in the <ClaimType> format. • http://msdn.microsoft.com/en-us/library/gg481769.aspx#claimswalkthrough5_AppendixA
  19. 19. SharePoint Claims Encoding Type of claim Encoded claim Claim encoding breakdown Windows User i:0#.w|contosokashif •“i” for an identity claim •“#” for the user logon name format for the claim value •“.” for a string •“w” for Windows claims •“contosokashif” for the identity claim value (the Windows account name) Windows Authenticated Users group c:0!.s|windows •“c” for a claim other than identity •“!” for an identity provider •“.” for a string •“s” for the local SharePoint STS •“windows” for the Windows Authenticated Users group SAML authentication (Trusted User) i:05.t|adfs|kashif@contoso.com •“i” for an identity claim •“5” for the email address format for the claim value •“.” for a string •“t” for a trusted issuer •“adfs” identifies the original issuer of the identity claim •“kashif@contoso.com” for the identity claim value Forms-based authentication i:0#.f|mymembershipprovider|kashif •“i” for an identity claim •“#”for the user logon name format for the claim value •“.” for string •“f” for forms-based authentication •“mymembershipprovider” identifies the original issuer of the identity claim •“kashif” for the user logon name
  20. 20. Claims Resolution and Augmentation • Inherit a class from Microsoft.SharePoint.Administration.Claims.SPClaimsProvider • Register using • Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiver • Implement • FillClaimsForEntity • FillClaimTypes • FillClaimValueTypes • Register Claims Provider • $trusted = Get-SPTrustedIdentityTokenIssuer -Identity “Kashif" • $trusted.ClaimProviderName = “KashifClaimsStore" • $trusted.Update()
  21. 21. ADFS Deployment • Single server configuration • ADFS 2.0 server farm and load-balancer • ADFS 2.0 Proxy server(s) for offsite users
  22. 22. Install and Configure ADFS V2 • Install Windows Server 2008 R2 • Create service account (ssp_adfs) and set SPN • Install ADFS server, don't configure it • Generate SSL Certificates • Token Signing, Token Encryption, Site • Disable AutoCertificate Rollover • Add-PsSnapin Microsoft.Adfs.Powershell • Set-ADFSProperties -AutoCertificateRollover $false • Set Primary Certificates • Give ADFS account permission on private key of certificates • Add Trusted Relying Party • Map Claims • Email-Addresses => Email Address • Token-Groups - Unqualified Names => Role • SAM-Account-Name => Windows account name • User-Principal-Name => UPN • Test Sign On using IdpInitiatedSignOn
  23. 23. SharePoint Configuration for ADFS • Export and copy public key of token signing certificate from ADFS • Generate SSL and AAM for SharePoint web app $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:adfsss.cer”) $map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" - SameAsIncoming $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "WindowsAccountName" -SameAsIncoming $map4 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming $realm = "urn:sharepoint:www" $signinurl = "https://sso.kashif.com/adfs/ls/" $ap = New-SPTrustedIdentityTokenIssuer -Name "Kashif" -Description "Kashif STS" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 - SignInUrl $signinurl -IdentifierClaim $map3.InputClaimType New-SPTrustedRootAuthority “Kashif Trusted Root Authority” -Certificate $cert $ap.Update() • My Sites or other web apps $uri = new-object System.Uri("https://my.kashif.com") $ap.ProviderRealms.Add($uri, "urn:sharepoint:my")
  24. 24. SharePoint Trusted Identity Token Issuer A SharePoint trusted identity token issuer binds together the details of the identity provider and the mapping rules to associate them with a specific SharePoint web application.
  25. 25. Update SharePoint for new ADFS Certificates $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:adf supdatesss1.cer") Set-SPTrustedRootAuthority -Identity "Kashif Trusted Root Authority P1" -Certificate $cert Set-SPTrustedIdentityTokenIssuer "Kashif" -ImportTrustCertificate $cert
  26. 26. Azure Access Control Service • Build using Claims-based identity principles • Support WIF and ADFS V2
  27. 27. Questions ???

×