Claims Based Authentication A Beginners Guide

3,405 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,405
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
112
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Claims Based Authentication A Beginners Guide

  1. 1. Claims Authentication Claims Authentication
  2. 2. AGENDA• What is Claims?• Claims in SharePoint• Configuring and Using Claims in SharePoint
  3. 3. My TripCheck In Counter Boarding Gate
  4. 4. Terminology• Identity: security principal (end user)• Authentication: act of establishing or confirming something• Authorisation: function of specifying access rights to resources• Claim: statement about an identity• Security Token: set of claims that are digitally signed by an issuing authority• Security Token Service (STS): builds, signs and issues security tokens• Identity Provider STS (IP-STS): authenticates and issues tokens• Relying Party: application that makes authorisation decisions based on claims• Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token
  5. 5. Claims at an Airport Boarding GateIdentity: security principal (end user)
  6. 6. Claims At An Airport Boarding GateRelying Party: application thatmakes authorisation decisionsbased on claims
  7. 7. Claims At An Airport Boarding GateClaim: statement about an identity “I am Thuan Le Cong” “My seat is 1c” 
  8. 8. Claims At An Airport Check In Counter Boarding GateIdentity Provider STS (IP-STS):authenticates and issues tokens
  9. 9. Claims At An Airport Name Seat Number Frequent Flyer Check In Counter Boarding GateSecurity Token: set of claims thatare digitally signed by an issuingauthority
  10. 10. Claims at An AirportCheck In Counter Boarding Gate
  11. 11. Terminology• Identity: security principal (end user)• Authentication: act of establishing or confirming something• Authorisation: function of specifying access rights to resources• Claim: statement about an identity• Security Token: set of claims that are digitally signed by an issuing authority• Security Token Service (STS): builds, signs and issues security tokens• Identity Provider STS (IP-STS): authenticates and issues tokens• Relying Party: application that makes authorisation decisions based on claims• Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token
  12. 12. Claims in SharePointSecurity Token Service Check In Counter Boarding Gate SharePoint WFE
  13. 13. Why Claims?• Decouples SharePoint from Authentication• Support for multiple authentication providers on one URL• Enables federation
  14. 14. ZonesWeb Application – Classic Web Application – Claims Windows• Zone: Default Windows • Zone: Default FBA SAML• Zone: Intranet FBA • Zone: Intranet FBA Windows• Zone: Internet … • Zone: Internet• Zone: Extranet … • Zone: Extranet … …• Zone: Custom … • Zone: Custom
  15. 15. Authentication Model• Two Authentication Modes – Classic (“Legacy”) – Claims
  16. 16. Authentication methods• Windows Authentication: Uses the Windows infrastructure, providing support for NTML, Kerberos, Anonymous, Basic, and Digest authentication.• Forms-Based Authentication (FBA) Utilizes a username and password HTML form that queries a membership provider in the back- end.• SAML token-based Authentication Uses an external identity provider that supports SAML 1.1 and WS-Federation Passive profile.
  17. 17. Externalized Authentication
  18. 18. Claims-based Authentication
  19. 19. Browser Based Sign-IN
  20. 20. Identity Mapping CLASSIC CLAIMS FBA NT Token NT Token SAML1.1+ SQL, LDAP, Custom,Windows Identity Windows Identity ADFS, … … SAML Token Claims Based Identity SPUser
  21. 21. SPClaim i:0#.w|coastalpointsolthuanle• Claim Type – W = Windows – F = Forms Based Authentication – T = Trusted (SAML)• Issuer• Value• Value Type
  22. 22. Forms Based Authentication• Exposed through Claims – Claims Identity instead of Generic Identity• Implemented as a Claims Provider – Implement ValidateUser()• STS talks to membership provider to validate user and issues a claims token• Roles are converted to claims
  23. 23. Configure FBACreate Authentication Provider Configure Web Application to use Authentication Provider Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
  24. 24. Three Web.config Changes? Create Authentication Provider Configure Web Application to use Authentication Provider Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)• Central Admin – Enable picking of principles from any provider• STS – Authenticate User – Get Roles of Users (convert to claims)• FBA Web Application – Enables People Picker
  25. 25. DEMOClaims Authentication
  26. 26. Summary• What is Claims?• How claims work in SharePoint• How to configure FBA
  27. 27. hopefullyQuestions and Answers ^

×