SlideShare a Scribd company logo

Claim Based Authentication in SharePoint 2010: A Developers Perspective

Download as PPTX, PDF
Joris Poelmans
Joris Poelmans
TechnologyEconomy & Finance
1 of 45
Claim Based Authentication in SharePoint 2010 A Developers Perspective Joris Poelmans BIWUG @jopxtwits http://jopx.blogspot.com
About Me • ECM Unit Manager @ RealDolmen • SharePoint Server MVP • Blog – http://jopx.blogspot.com • Twitter – @jopxtwits • Co-founder BIWUG – www.biwug.be • Co-author – Real World SharePoint 2010 (November 2010, Wrox) – Real World SharePoint 2007 (August 2007, Wrox) – SharePoint 2007, The definitive guide (September 2007, O’Reilly)
Register today and save $500 before August 1st Save the date: watch live stream, join local events by MSDN Belux Win a ticket today at Communiday Day! • Take a picture wearing the BUILD t-shirt. • Tweet or blog the picture, link to www.buildwindows.com, use tag #bldwin • Wear the t-shirt and be there for the closing prize draw http://www.buildwindows.com/
Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with Claims • Trusted Identity Providers
Identity vs Claims • Identity – Set of attributes to describe a user • Claim – Information such as name, e-mail address, group membership, etc. • User identity as a set of claims
Claims • Claims carry pieces of information about the user Name Claim Age Claim Location Claim Claim Signature
Claim-based Terminology • Authentication: act of establishing or confirming something • Authorization: function of specifying access rights to resources • Claim: statement about an identity (attribute: Login Name, AD Group, etc) • Identity: security principal (end user) • Identity Provider (IP): provides authentication for identities, confirms that claims in a token are valid and issues tokens. Can be accessed through a STS. • Issuer: trusted party that creates claims • Issuing Authority: issues security tokens knowing claims desired by target application • Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML) • Security Token Service (STS): builds, signs and issues security tokens carrying claims that describe the caller • Relying Party (RP): application that makes authorization decisions based on claims • Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token • Windows Identity Foundation (aka Geneva): framework for building claims-based applications and services and for implementing federated security scenarios • ADFS 2.0 (aka Geneva Server): Enterprise Identity Provider that exposes a Security Token Service
Underlying standards • WS-Federation 1.1 – Provides the architecture for a clean separation between trust mechanisms, security tokens formats and the protocols for obtaining tokens • WS-Trust 1.4 – How to request and receive security tokens • SAML Token 1.1 – XML vocabulary used to represent claims in an interoperable way
Why the move to claims? • It decouples SharePoint from authentication provider • Applications can decide which Claims are required and which Identity Provider to trust • Supports multiple authentication providers for one URL • Identity can be passed without Kerberos delegation • It enables federation between organizations
Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
CLAIMS VIEWER WEBPART MULTI-AUTH WEB APPLICATIONS demo
Multi-auth web applications
Claims Viewer Web Part
Claims Viewer WebPart IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims;
Encoded Id Example: i:0#.w|contosowbaer – i = Identity Claim all other claims will use “c” as opposed to “i” – : = Colon – 0 = Reserved to support future Claims – #/? = Claim Type Encoded Value. The out of the box claim types will have a hardcoded encoded value, this will enable parity across farms. – E.g. Key: ? Value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier – Key: # Value: http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname – ./0 = Claim Value Type. The out of the box claim value types will have a hardcoded encoded value, this will enable parity across farms. – E.g. Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name – Key: 0 Value: http://www.w3.org/2001/XMLSchema#string – w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted STS, p = personal card, s= local sts claim
Claims in SharePoint 2010 Normalizing Identities Classic Claims
Claims in SharePoint 2010 • Two important scenarios – Incoming claims – Outgoing claims • How do incoming claims work? – Identity token created by external identity STS – SharePoint STS creates claim-based identity – SharePoint STS based on Claims Provider – Incoming claim identity is mapped to SPUser – Authorization of SPUser just like it is in SharePoint 2007
Office Applications • Office Client applications now support non-Integrated Windows Authentication • Office 2007 with Service Pack 2 on – Windows XP with Internet Explorer 8 – Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7 • Office 2010 on – Windows XP with Internet Explorer 8 – Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7
Claim Based Authorization • Use the claims enabled people picker to assign authorizations • Access claims via the IClaimsIdentity interface • Conditionally Display information – based on presence of claim – based on value of claim
SELECT CLAIMS IN PEOPLE PICKER CONDITIONALLY DISPLAY INFORMATION demo
Conditionally display information IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; string pmClaim = (from c in claimsIdentity.Claims where c.ClaimType == CLAIM_TYPE select c.Value).FirstOrDefault(); bool authorized = bool.Parse(pmClaim);
Outgoing Claims • What identity is used for code on WFE? – By default, code has claims-based identity – Legacy mode can be used for Windows identity • What are the scenarios? – WFE code calls to application services – WFE code calls to external LOB systems – WFE code calls to external SharePoint farms
Outgoing Claims
Accessing non-Claims Aware Systems • SQL Server 2008/2008 R2 – Denali is claims aware • Claims to Windows Token Service (C2WTS) – Converts Claims back to a Windows Identity SharePoint LOB Application
C2WTS • Install on Server hosting the STS Service Application (Part of WIF) • Local Service by default (also default disabled) – Dependent on Crypto Service (must start first – check out KB2512597) • Read Configure Kerberos Authentication for the C2WTS (SharePoint Server 2010) whitepaper
Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
Configure / Upgrade FBA sites • Setup FBA-Claims – Create authentication provider – Create or configure existing web app to use the authentication provider – Add membership / role provider entries to different web configs • Upgrade FBA web applications – User must update web.config(s) – Set the web app/zone to FBA-Claims to trigger user migration
Why 3 web.config locations? • Central admin – Needs the references of all providers to enable picking of principals from any provider • STS web.config (Security Token Service app) – Needs the references of all providers in order to • Authenticate user • Get roles of user (which are converted to claims) • FBA Web application web.config – Needs “system claims membership provider” • Automatically configured OOB during install – Customer defined membership / role provider • To enable picking of FBA users & roles
Web.config example <Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="LdapMembershipProvider,… server="redmond.corp.microsoft.com" port="389" …/> </providers> </membership> <roleManager enabled="true" defaultProvider=“MyRoleProv" > <providers> <add name="roleManager“ type="LdapRoleProvider, … server="redmond.corp.microsoft.com" … </providers> </roleManager>
Upgrade FBA: Powershell sample • $ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager" • $wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount “domainappool" -Url http://servername -Port 80 -AuthenticationProvider $ap • *Note The ApplicationPoolAccount needs to be a managed account on the farm • Modify the Web.config files (Central Admin, Security Token Service, Forms Web App)
Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
Common CBA development task • Creating claims provider • Claims providers have two roles – Augmentation • Add additional claims into user token • SharePoint will authorize over these claims – Picking and resolving claims • Provides listing, resolve, search and friendly display of claims functionality in the people picker
Developing custom claims providers Claims augmentation • Enables and application to augment additional claims into the user’s token • Custom provider is implemented by inheriting – Microsoft.SharePoint.Administration.Claims.SPClaimsProvider – Use FillClaimsForEntity method • Deployment done by creating feature and feature receiver that derives from – Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiv er class • MSDN Article by Steve Peschka – http://msdn.microsoft.com/en-us/library/ff699494.aspx
Developing custom claims providers Claims picker • Provides Listing, Resolve, Search and Friendly display of claims in the People Picker • Custom provider is implemented by inheriting – Microsoft.SharePoint.Administration.Claims.SPClaimsProvid er – Use FillHierarchy, FillResolve, FillSearch method • Deployment done by creating feature and feature receiver that derives from – Microsoft.SharePoint.Administration.Claims.SPClaimsProvid erFeatureReceiver class
AUGMENT CLAIMS RESOLVE CLAIMS IN PEOPLE PICKER demo
FillClaimForEntity() method • Parameters – Context (URI) – Current user (userid claim) – Empty list to contain new claims • Called once per session – Token is passed as cookie once issued
Entity Values • Domain user – 0#.w|domainuser • FBA user – 0#.f|mbrshipprovidername|user • Be sure to inspect entity when filling Claims
SPClaimProvider.CreateClaim() • protected SPClaim CreateClaim(string claimType,string value,string valueType) – claimType Type: String The type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. – value Type: String The value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt. – valueType Type: String The type of value in the claim. These are all URIs that refer to a string.
ClaimValueTypes Base64Binar http://www.w3.org/2001/XMLSchema#base64Binary y Boolean http://www.w3.org/2001/XMLSchema#boolean Date http://www.w3.org/2001/XMLSchema#date Datetime http://www.w3.org/2001/XMLSchema#dateTime DaytimeDura http://www.w3.org/TR/2002/WD-xquery-operators- tion 20020816#dayTimeDuration String http://www.w3.org/2001/XMLSchema#string
Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
Trusted Identity Providers • Active Directory Federation Services (ADFS 2.0) – Enables identity across organizational boundaries – http://www.microsoft.com/adfs2 • Windows Live Id – http://technet.microsoft.com/en- us/library/ff973117.aspx
Trusted Identity Providers (Ctd) • OpenID – Must be “Translated” into SAML Claims • WIF code • Pioneering work – http://blogs.southworks.net/mwoloski/2009/07/14/ope nid-ws-fed-protocol-transition-sts/ (Matias Woloski) – https://blogs.pointbridge.com/Blogs/nielsen_travis/Page s/Post.aspx?_ID=34 (Travis Nielsen) – Many OpenID Providers • http://openid.net/get-an-openid/
Summary • Claims are the way forward for authentication • Claims enable new scenario’s for authentication and authorization
Additional Resources • Recommended Reading – Read more on Claims-based Authentication in the SharePoint Server 2010 IT Professional Evaluation Guide – Plan Authentication Methods (SharePoint Server 2010) on TechNet – Read the article Configure Forms-based Authentication for a Claims- based Web Application on TechNet (This article also provides some good upgrade material.) – Configure the Security Token Service on TechNet – SharePoint and Claims-based Identity on MSDN – A Guide to Claims-Based Identity and Access Control – Claims-Based Identity for Windows – Claims to Windows Token Service Overview (MSDN)

Recommended

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraMorgan Simonsen
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSteven Van de Craen
 
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Microsoft TechNet - Belgium and Luxembourg
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spoJethro Seghers
 

Recommended

SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraMorgan Simonsen
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSteven Van de Craen
 
Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Troubleshooting Federation, ADFS, and More
Troubleshooting Federation, ADFS, and More Microsoft TechNet - Belgium and Luxembourg
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spoJethro Seghers
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Vlad Mihnea
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB
 
Preparing for Office 365
Preparing for Office 365Preparing for Office 365
Preparing for Office 365Jan Egil Ring
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePointAlan Marshall
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuthMikkel Flindt Heisterberg
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0Haggai Philip Zagury
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Office 365 api vs share point app model
Office 365 api vs share point app modelOffice 365 api vs share point app model
Office 365 api vs share point app modelBIWUG
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteDavid Keener
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
The dashboarding problem
The dashboarding problemThe dashboarding problem
The dashboarding problemnuria_ruiz
 
Presentation
PresentationPresentation
PresentationLaxman Kumar
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Brochure parassitosi mobilediagnosis ita
Brochure parassitosi mobilediagnosis ita Brochure parassitosi mobilediagnosis ita
Brochure parassitosi mobilediagnosis ita MobileDiagnosis Non Profit Association
 
I L G A T T O I L L U S I O N I S T A
I L G A T T O I L L U S I O N I S T AI L G A T T O I L L U S I O N I S T A
I L G A T T O I L L U S I O N I S T ARoberto Traetta
 

More Related Content

What's hot

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Vlad Mihnea
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB
 
Preparing for Office 365
Preparing for Office 365Preparing for Office 365
Preparing for Office 365Jan Egil Ring
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePointAlan Marshall
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Amazon Web Services
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAmazon Web Services
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Office 365 api vs share point app model
Office 365 api vs share point app modelOffice 365 api vs share point app model
Office 365 api vs share point app modelBIWUG
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteDavid Keener
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
The dashboarding problem
The dashboarding problemThe dashboarding problem
The dashboarding problemnuria_ruiz
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 

What's hot (20)

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015Ymens - Cloud Identity Crisis - Dev Talks 2015
Ymens - Cloud Identity Crisis - Dev Talks 2015
 
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB StitchMongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
MongoDB.local Sydney: Evolving your Data Access with MongoDB Stitch
 
Preparing for Office 365
Preparing for Office 365Preparing for Office 365
Preparing for Office 365
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.net
 
Deploying an Extranet on SharePoint
Deploying an Extranet on SharePointDeploying an Extranet on SharePoint
Deploying an Extranet on SharePoint
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Authentication and Identity with Amazon Cognito
Authentication and Identity with Amazon CognitoAuthentication and Identity with Amazon Cognito
Authentication and Identity with Amazon Cognito
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
Office 365 api vs share point app model
Office 365 api vs share point app modelOffice 365 api vs share point app model
Office 365 api vs share point app model
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Implementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking SiteImplementing OpenID for Your Social Networking Site
Implementing OpenID for Your Social Networking Site
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
The dashboarding problem
The dashboarding problemThe dashboarding problem
The dashboarding problem
 
Presentation
PresentationPresentation
Presentation
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 

Viewers also liked

I L G A T T O I L L U S I O N I S T A
I L G A T T O I L L U S I O N I S T AI L G A T T O I L L U S I O N I S T A
I L G A T T O I L L U S I O N I S T ARoberto Traetta
 
Constructivism lite
Constructivism liteConstructivism lite
Constructivism liteDavid Geelan
 
PP: God Bless America - Kate Smith
PP: God Bless America - Kate SmithPP: God Bless America - Kate Smith
PP: God Bless America - Kate SmithRbhnow
 
CASE Award presentation
CASE Award presentationCASE Award presentation
CASE Award presentationKenon Man
 
η πολη μου τα τρικαλα
η πολη μου τα τρικαλαη πολη μου τα τρικαλα
η πολη μου τα τρικαλαekokkoti
 
Renaissance man tweet meet leuven
Renaissance man tweet meet leuvenRenaissance man tweet meet leuven
Renaissance man tweet meet leuvenPascal Cools
 
Au Psy 492 Baroness Thompson Doc M6 A2
Au Psy 492 Baroness Thompson Doc M6 A2Au Psy 492 Baroness Thompson Doc M6 A2
Au Psy 492 Baroness Thompson Doc M6 A2Baroness Thompson
 
Technical notes for C_NES Foundation and Gwahati Medical College Presentation
Technical notes for C_NES Foundation and Gwahati Medical College Presentation Technical notes for C_NES Foundation and Gwahati Medical College Presentation
Technical notes for C_NES Foundation and Gwahati Medical College Presentation MobileDiagnosis Non Profit Association
 
Module 3 Week 3 Review
Module 3 Week 3 ReviewModule 3 Week 3 Review
Module 3 Week 3 ReviewCDOL
 
Ist storyboard final
Ist storyboard finalIst storyboard final
Ist storyboard finalkayeleanne
 
Healtheducation 090714065946 Phpapp02
Healtheducation 090714065946 Phpapp02Healtheducation 090714065946 Phpapp02
Healtheducation 090714065946 Phpapp02Nidheesha Manganam
 
「アンケート」=「一者一択の踏み絵」 長野市役所の説
「アンケート」=「一者一択の踏み絵」 長野市役所の説「アンケート」=「一者一択の踏み絵」 長野市役所の説
「アンケート」=「一者一択の踏み絵」 長野市役所の説長野市議会議員小泉一真
 

Viewers also liked (20)

Brochure parassitosi mobilediagnosis ita
Brochure parassitosi mobilediagnosis ita Brochure parassitosi mobilediagnosis ita
Brochure parassitosi mobilediagnosis ita
 
I L G A T T O I L L U S I O N I S T A
I L G A T T O I L L U S I O N I S T AI L G A T T O I L L U S I O N I S T A
I L G A T T O I L L U S I O N I S T A
 
Constructivism lite
Constructivism liteConstructivism lite
Constructivism lite
 
Mobile Diagnosis®Project 2012 Presentation
Mobile Diagnosis®Project 2012 PresentationMobile Diagnosis®Project 2012 Presentation
Mobile Diagnosis®Project 2012 Presentation
 
PP: God Bless America - Kate Smith
PP: God Bless America - Kate SmithPP: God Bless America - Kate Smith
PP: God Bless America - Kate Smith
 
MobileDiagnosis:an appropriate technology
MobileDiagnosis:an appropriate technologyMobileDiagnosis:an appropriate technology
MobileDiagnosis:an appropriate technology
 
Testing 8
Testing 8Testing 8
Testing 8
 
CASE Award presentation
CASE Award presentationCASE Award presentation
CASE Award presentation
 
η πολη μου τα τρικαλα
η πολη μου τα τρικαλαη πολη μου τα τρικαλα
η πολη μου τα τρικαλα
 
Renaissance man tweet meet leuven
Renaissance man tweet meet leuvenRenaissance man tweet meet leuven
Renaissance man tweet meet leuven
 
Coe rapporto ottobre 2014
Coe rapporto ottobre 2014 Coe rapporto ottobre 2014
Coe rapporto ottobre 2014
 
Au Psy 492 Baroness Thompson Doc M6 A2
Au Psy 492 Baroness Thompson Doc M6 A2Au Psy 492 Baroness Thompson Doc M6 A2
Au Psy 492 Baroness Thompson Doc M6 A2
 
Dosier fotográfico
Dosier fotográficoDosier fotográfico
Dosier fotográfico
 
Technical notes for C_NES Foundation and Gwahati Medical College Presentation
Technical notes for C_NES Foundation and Gwahati Medical College Presentation Technical notes for C_NES Foundation and Gwahati Medical College Presentation
Technical notes for C_NES Foundation and Gwahati Medical College Presentation
 
Module 3 Week 3 Review
Module 3 Week 3 ReviewModule 3 Week 3 Review
Module 3 Week 3 Review
 
Welcome to icehouse
Welcome to icehouseWelcome to icehouse
Welcome to icehouse
 
Ist storyboard final
Ist storyboard finalIst storyboard final
Ist storyboard final
 
Healtheducation 090714065946 Phpapp02
Healtheducation 090714065946 Phpapp02Healtheducation 090714065946 Phpapp02
Healtheducation 090714065946 Phpapp02
 
Asha
AshaAsha
Asha
 
「アンケート」=「一者一択の踏み絵」 長野市役所の説
「アンケート」=「一者一択の踏み絵」 長野市役所の説「アンケート」=「一者一択の踏み絵」 長野市役所の説
「アンケート」=「一者一択の踏み絵」 長野市役所の説
 

Similar to Claim Based Authentication in SharePoint 2010: A Developers Perspective

Extending Authentication and Authorization
Extending Authentication and AuthorizationExtending Authentication and Authorization
Extending Authentication and AuthorizationEdin Kapic
 
ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationEdin Kapic
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?Liam Cleary [MVP]
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...Brian Culver
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Michael Collier
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010Spencer Harbar
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Jonathan Schultz
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 

Similar to Claim Based Authentication in SharePoint 2010: A Developers Perspective (20)

Extending Authentication and Authorization
Extending Authentication and AuthorizationExtending Authentication and Authorization
Extending Authentication and Authorization
 
ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and Authorization
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
 

More from Joris Poelmans

Dynamics Power! Saturday Brussels 2019 - transitioning to the unified interface
Dynamics Power! Saturday Brussels 2019 - transitioning to the unified interfaceDynamics Power! Saturday Brussels 2019 - transitioning to the unified interface
Dynamics Power! Saturday Brussels 2019 - transitioning to the unified interfaceJoris Poelmans
 
GDPR and Dynamics 365 - the Waldorf and Statler perspective
GDPR and Dynamics 365 - the Waldorf and Statler perspectiveGDPR and Dynamics 365 - the Waldorf and Statler perspective
GDPR and Dynamics 365 - the Waldorf and Statler perspectiveJoris Poelmans
 
CRM UG Belux March 2017 - Power BI and Dynamics 365
CRM UG Belux March 2017 - Power BI and Dynamics 365CRM UG Belux March 2017 - Power BI and Dynamics 365
CRM UG Belux March 2017 - Power BI and Dynamics 365Joris Poelmans
 
Dynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbots
Dynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbotsDynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbots
Dynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbotsJoris Poelmans
 
What’s new on the Microsoft Azure Data Platform
What’s new on the Microsoft Azure Data Platform What’s new on the Microsoft Azure Data Platform
What’s new on the Microsoft Azure Data Platform Joris Poelmans
 
How to build your own Delve: combining machine learning, big data and SharePoint
How to build your own Delve: combining machine learning, big data and SharePointHow to build your own Delve: combining machine learning, big data and SharePoint
How to build your own Delve: combining machine learning, big data and SharePointJoris Poelmans
 
imec Share - An Office 365 customer case
imec Share - An Office 365 customer caseimec Share - An Office 365 customer case
imec Share - An Office 365 customer caseJoris Poelmans
 
IMEC Share - Innovate, collaborate and excel
IMEC Share - Innovate, collaborate and excelIMEC Share - Innovate, collaborate and excel
IMEC Share - Innovate, collaborate and excelJoris Poelmans
 
The future of business process apps - a Microsoft perspective
The future of business process apps - a Microsoft perspectiveThe future of business process apps - a Microsoft perspective
The future of business process apps - a Microsoft perspectiveJoris Poelmans
 
Yammer Social Data Mining
Yammer Social Data MiningYammer Social Data Mining
Yammer Social Data MiningJoris Poelmans
 
MSDN - SharePoint 2013 to app or not to app
MSDN - SharePoint 2013 to app or not to appMSDN - SharePoint 2013 to app or not to app
MSDN - SharePoint 2013 to app or not to appJoris Poelmans
 
Everything you always wanted to know about SharePoint 2013 Search relevance
Everything you always wanted to know about SharePoint 2013 Search relevanceEverything you always wanted to know about SharePoint 2013 Search relevance
Everything you always wanted to know about SharePoint 2013 Search relevanceJoris Poelmans
 
The Connected Company - Event Anders Vergaderen
The Connected Company - Event Anders VergaderenThe Connected Company - Event Anders Vergaderen
The Connected Company - Event Anders VergaderenJoris Poelmans
 
Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...
Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...
Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...Joris Poelmans
 
Intro to MUI and variations in SharePoint 2010
Intro to MUI and variations in SharePoint 2010Intro to MUI and variations in SharePoint 2010
Intro to MUI and variations in SharePoint 2010Joris Poelmans
 
Building the SharePoint hot or not app ... or how not sell social to your boss
Building the SharePoint hot or not app ... or how not sell social to your bossBuilding the SharePoint hot or not app ... or how not sell social to your boss
Building the SharePoint hot or not app ... or how not sell social to your bossJoris Poelmans
 
SharePoint Server 2013 : The big five
SharePoint Server 2013 : The big fiveSharePoint Server 2013 : The big five
SharePoint Server 2013 : The big fiveJoris Poelmans
 
Apps for Office Introduction
Apps for Office IntroductionApps for Office Introduction
Apps for Office IntroductionJoris Poelmans
 
Fun with Social, Windows 8 and Javascript
Fun with Social, Windows 8 and JavascriptFun with Social, Windows 8 and Javascript
Fun with Social, Windows 8 and JavascriptJoris Poelmans
 
Exploring search driven applications with SharePoint 2013
Exploring search driven applications with SharePoint 2013Exploring search driven applications with SharePoint 2013
Exploring search driven applications with SharePoint 2013Joris Poelmans
 

More from Joris Poelmans (20)

Dynamics Power! Saturday Brussels 2019 - transitioning to the unified interface
Dynamics Power! Saturday Brussels 2019 - transitioning to the unified interfaceDynamics Power! Saturday Brussels 2019 - transitioning to the unified interface
Dynamics Power! Saturday Brussels 2019 - transitioning to the unified interface
 
GDPR and Dynamics 365 - the Waldorf and Statler perspective
GDPR and Dynamics 365 - the Waldorf and Statler perspectiveGDPR and Dynamics 365 - the Waldorf and Statler perspective
GDPR and Dynamics 365 - the Waldorf and Statler perspective
 
CRM UG Belux March 2017 - Power BI and Dynamics 365
CRM UG Belux March 2017 - Power BI and Dynamics 365CRM UG Belux March 2017 - Power BI and Dynamics 365
CRM UG Belux March 2017 - Power BI and Dynamics 365
 
Dynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbots
Dynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbotsDynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbots
Dynamics 365 Saturday Amsterdam 02/2018 - Dynamics 365 and chatbots
 
What’s new on the Microsoft Azure Data Platform
What’s new on the Microsoft Azure Data Platform What’s new on the Microsoft Azure Data Platform
What’s new on the Microsoft Azure Data Platform
 
How to build your own Delve: combining machine learning, big data and SharePoint
How to build your own Delve: combining machine learning, big data and SharePointHow to build your own Delve: combining machine learning, big data and SharePoint
How to build your own Delve: combining machine learning, big data and SharePoint
 
imec Share - An Office 365 customer case
imec Share - An Office 365 customer caseimec Share - An Office 365 customer case
imec Share - An Office 365 customer case
 
IMEC Share - Innovate, collaborate and excel
IMEC Share - Innovate, collaborate and excelIMEC Share - Innovate, collaborate and excel
IMEC Share - Innovate, collaborate and excel
 
The future of business process apps - a Microsoft perspective
The future of business process apps - a Microsoft perspectiveThe future of business process apps - a Microsoft perspective
The future of business process apps - a Microsoft perspective
 
Yammer Social Data Mining
Yammer Social Data MiningYammer Social Data Mining
Yammer Social Data Mining
 
MSDN - SharePoint 2013 to app or not to app
MSDN - SharePoint 2013 to app or not to appMSDN - SharePoint 2013 to app or not to app
MSDN - SharePoint 2013 to app or not to app
 
Everything you always wanted to know about SharePoint 2013 Search relevance
Everything you always wanted to know about SharePoint 2013 Search relevanceEverything you always wanted to know about SharePoint 2013 Search relevance
Everything you always wanted to know about SharePoint 2013 Search relevance
 
The Connected Company - Event Anders Vergaderen
The Connected Company - Event Anders VergaderenThe Connected Company - Event Anders Vergaderen
The Connected Company - Event Anders Vergaderen
 
Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...
Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...
Building search-driven Windows 8 and Windows Phone 8 apps for SharePoint Serv...
 
Intro to MUI and variations in SharePoint 2010
Intro to MUI and variations in SharePoint 2010Intro to MUI and variations in SharePoint 2010
Intro to MUI and variations in SharePoint 2010
 
Building the SharePoint hot or not app ... or how not sell social to your boss
Building the SharePoint hot or not app ... or how not sell social to your bossBuilding the SharePoint hot or not app ... or how not sell social to your boss
Building the SharePoint hot or not app ... or how not sell social to your boss
 
SharePoint Server 2013 : The big five
SharePoint Server 2013 : The big fiveSharePoint Server 2013 : The big five
SharePoint Server 2013 : The big five
 
Apps for Office Introduction
Apps for Office IntroductionApps for Office Introduction
Apps for Office Introduction
 
Fun with Social, Windows 8 and Javascript
Fun with Social, Windows 8 and JavascriptFun with Social, Windows 8 and Javascript
Fun with Social, Windows 8 and Javascript
 
Exploring search driven applications with SharePoint 2013
Exploring search driven applications with SharePoint 2013Exploring search driven applications with SharePoint 2013
Exploring search driven applications with SharePoint 2013
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Claim Based Authentication in SharePoint 2010: A Developers Perspective

  • 1. Claim Based Authentication in SharePoint 2010 A Developers Perspective Joris Poelmans BIWUG @jopxtwits http://jopx.blogspot.com
  • 2. About Me • ECM Unit Manager @ RealDolmen • SharePoint Server MVP • Blog – http://jopx.blogspot.com • Twitter – @jopxtwits • Co-founder BIWUG – www.biwug.be • Co-author – Real World SharePoint 2010 (November 2010, Wrox) – Real World SharePoint 2007 (August 2007, Wrox) – SharePoint 2007, The definitive guide (September 2007, O’Reilly)
  • 3. Register today and save $500 before August 1st Save the date: watch live stream, join local events by MSDN Belux Win a ticket today at Communiday Day! • Take a picture wearing the BUILD t-shirt. • Tweet or blog the picture, link to www.buildwindows.com, use tag #bldwin • Wear the t-shirt and be there for the closing prize draw http://www.buildwindows.com/
  • 4. Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with Claims • Trusted Identity Providers
  • 5. Identity vs Claims • Identity – Set of attributes to describe a user • Claim – Information such as name, e-mail address, group membership, etc. • User identity as a set of claims
  • 6. Claims • Claims carry pieces of information about the user Name Claim Age Claim Location Claim Claim Signature
  • 7. Claim-based Terminology • Authentication: act of establishing or confirming something • Authorization: function of specifying access rights to resources • Claim: statement about an identity (attribute: Login Name, AD Group, etc) • Identity: security principal (end user) • Identity Provider (IP): provides authentication for identities, confirms that claims in a token are valid and issues tokens. Can be accessed through a STS. • Issuer: trusted party that creates claims • Issuing Authority: issues security tokens knowing claims desired by target application • Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML) • Security Token Service (STS): builds, signs and issues security tokens carrying claims that describe the caller • Relying Party (RP): application that makes authorization decisions based on claims • Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token • Windows Identity Foundation (aka Geneva): framework for building claims-based applications and services and for implementing federated security scenarios • ADFS 2.0 (aka Geneva Server): Enterprise Identity Provider that exposes a Security Token Service
  • 8. Underlying standards • WS-Federation 1.1 – Provides the architecture for a clean separation between trust mechanisms, security tokens formats and the protocols for obtaining tokens • WS-Trust 1.4 – How to request and receive security tokens • SAML Token 1.1 – XML vocabulary used to represent claims in an interoperable way
  • 9. Why the move to claims? • It decouples SharePoint from authentication provider • Applications can decide which Claims are required and which Identity Provider to trust • Supports multiple authentication providers for one URL • Identity can be passed without Kerberos delegation • It enables federation between organizations
  • 10. Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
  • 11. CLAIMS VIEWER WEBPART MULTI-AUTH WEB APPLICATIONS demo
  • 14. Claims Viewer WebPart IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims;
  • 15. Encoded Id Example: i:0#.w|contosowbaer – i = Identity Claim all other claims will use “c” as opposed to “i” – : = Colon – 0 = Reserved to support future Claims – #/? = Claim Type Encoded Value. The out of the box claim types will have a hardcoded encoded value, this will enable parity across farms. – E.g. Key: ? Value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier – Key: # Value: http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname – ./0 = Claim Value Type. The out of the box claim value types will have a hardcoded encoded value, this will enable parity across farms. – E.g. Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name – Key: 0 Value: http://www.w3.org/2001/XMLSchema#string – w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted STS, p = personal card, s= local sts claim
  • 16. Claims in SharePoint 2010 Normalizing Identities Classic Claims
  • 17. Claims in SharePoint 2010 • Two important scenarios – Incoming claims – Outgoing claims • How do incoming claims work? – Identity token created by external identity STS – SharePoint STS creates claim-based identity – SharePoint STS based on Claims Provider – Incoming claim identity is mapped to SPUser – Authorization of SPUser just like it is in SharePoint 2007
  • 18.
  • 19. Office Applications • Office Client applications now support non-Integrated Windows Authentication • Office 2007 with Service Pack 2 on – Windows XP with Internet Explorer 8 – Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7 • Office 2010 on – Windows XP with Internet Explorer 8 – Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7
  • 20. Claim Based Authorization • Use the claims enabled people picker to assign authorizations • Access claims via the IClaimsIdentity interface • Conditionally Display information – based on presence of claim – based on value of claim
  • 21. SELECT CLAIMS IN PEOPLE PICKER CONDITIONALLY DISPLAY INFORMATION demo
  • 22. Conditionally display information IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; string pmClaim = (from c in claimsIdentity.Claims where c.ClaimType == CLAIM_TYPE select c.Value).FirstOrDefault(); bool authorized = bool.Parse(pmClaim);
  • 23. Outgoing Claims • What identity is used for code on WFE? – By default, code has claims-based identity – Legacy mode can be used for Windows identity • What are the scenarios? – WFE code calls to application services – WFE code calls to external LOB systems – WFE code calls to external SharePoint farms
  • 25. Accessing non-Claims Aware Systems • SQL Server 2008/2008 R2 – Denali is claims aware • Claims to Windows Token Service (C2WTS) – Converts Claims back to a Windows Identity SharePoint LOB Application
  • 26. C2WTS • Install on Server hosting the STS Service Application (Part of WIF) • Local Service by default (also default disabled) – Dependent on Crypto Service (must start first – check out KB2512597) • Read Configure Kerberos Authentication for the C2WTS (SharePoint Server 2010) whitepaper
  • 27. Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
  • 28. Configure / Upgrade FBA sites • Setup FBA-Claims – Create authentication provider – Create or configure existing web app to use the authentication provider – Add membership / role provider entries to different web configs • Upgrade FBA web applications – User must update web.config(s) – Set the web app/zone to FBA-Claims to trigger user migration
  • 29. Why 3 web.config locations? • Central admin – Needs the references of all providers to enable picking of principals from any provider • STS web.config (Security Token Service app) – Needs the references of all providers in order to • Authenticate user • Get roles of user (which are converted to claims) • FBA Web application web.config – Needs “system claims membership provider” • Automatically configured OOB during install – Customer defined membership / role provider • To enable picking of FBA users & roles
  • 30. Web.config example <Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="LdapMembershipProvider,… server="redmond.corp.microsoft.com" port="389" …/> </providers> </membership> <roleManager enabled="true" defaultProvider=“MyRoleProv" > <providers> <add name="roleManager“ type="LdapRoleProvider, … server="redmond.corp.microsoft.com" … </providers> </roleManager>
  • 31. Upgrade FBA: Powershell sample • $ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager" • $wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount “domainappool" -Url http://servername -Port 80 -AuthenticationProvider $ap • *Note The ApplicationPoolAccount needs to be a managed account on the farm • Modify the Web.config files (Central Admin, Security Token Service, Forms Web App)
  • 32. Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
  • 33. Common CBA development task • Creating claims provider • Claims providers have two roles – Augmentation • Add additional claims into user token • SharePoint will authorize over these claims – Picking and resolving claims • Provides listing, resolve, search and friendly display of claims functionality in the people picker
  • 34. Developing custom claims providers Claims augmentation • Enables and application to augment additional claims into the user’s token • Custom provider is implemented by inheriting – Microsoft.SharePoint.Administration.Claims.SPClaimsProvider – Use FillClaimsForEntity method • Deployment done by creating feature and feature receiver that derives from – Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiv er class • MSDN Article by Steve Peschka – http://msdn.microsoft.com/en-us/library/ff699494.aspx
  • 35. Developing custom claims providers Claims picker • Provides Listing, Resolve, Search and Friendly display of claims in the People Picker • Custom provider is implemented by inheriting – Microsoft.SharePoint.Administration.Claims.SPClaimsProvid er – Use FillHierarchy, FillResolve, FillSearch method • Deployment done by creating feature and feature receiver that derives from – Microsoft.SharePoint.Administration.Claims.SPClaimsProvid erFeatureReceiver class
  • 36. AUGMENT CLAIMS RESOLVE CLAIMS IN PEOPLE PICKER demo
  • 37. FillClaimForEntity() method • Parameters – Context (URI) – Current user (userid claim) – Empty list to contain new claims • Called once per session – Token is passed as cookie once issued
  • 38. Entity Values • Domain user – 0#.w|domainuser • FBA user – 0#.f|mbrshipprovidername|user • Be sure to inspect entity when filling Claims
  • 39. SPClaimProvider.CreateClaim() • protected SPClaim CreateClaim(string claimType,string value,string valueType) – claimType Type: String The type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. – value Type: String The value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt. – valueType Type: String The type of value in the claim. These are all URIs that refer to a string.
  • 40. ClaimValueTypes Base64Binar http://www.w3.org/2001/XMLSchema#base64Binary y Boolean http://www.w3.org/2001/XMLSchema#boolean Date http://www.w3.org/2001/XMLSchema#date Datetime http://www.w3.org/2001/XMLSchema#dateTime DaytimeDura http://www.w3.org/TR/2002/WD-xquery-operators- tion 20020816#dayTimeDuration String http://www.w3.org/2001/XMLSchema#string
  • 41. Agenda • Introduction to Claims • Claims in SharePoint 2010 • Configuring Claims in SharePoint 2010 • Development tasks with claims • Trusted Identity Providers
  • 42. Trusted Identity Providers • Active Directory Federation Services (ADFS 2.0) – Enables identity across organizational boundaries – http://www.microsoft.com/adfs2 • Windows Live Id – http://technet.microsoft.com/en- us/library/ff973117.aspx
  • 43. Trusted Identity Providers (Ctd) • OpenID – Must be “Translated” into SAML Claims • WIF code • Pioneering work – http://blogs.southworks.net/mwoloski/2009/07/14/ope nid-ws-fed-protocol-transition-sts/ (Matias Woloski) – https://blogs.pointbridge.com/Blogs/nielsen_travis/Page s/Post.aspx?_ID=34 (Travis Nielsen) – Many OpenID Providers • http://openid.net/get-an-openid/
  • 44. Summary • Claims are the way forward for authentication • Claims enable new scenario’s for authentication and authorization
  • 45. Additional Resources • Recommended Reading – Read more on Claims-based Authentication in the SharePoint Server 2010 IT Professional Evaluation Guide – Plan Authentication Methods (SharePoint Server 2010) on TechNet – Read the article Configure Forms-based Authentication for a Claims- based Web Application on TechNet (This article also provides some good upgrade material.) – Configure the Security Token Service on TechNet – SharePoint and Claims-based Identity on MSDN – A Guide to Claims-Based Identity and Access Control – Claims-Based Identity for Windows – Claims to Windows Token Service Overview (MSDN)

Editor's Notes

  1. Identities are basically pieces of information about a person or an object, for example, a user. When an identity traverses the network it is represented by an array of bytes that is referred to as a token.In claims-based identity scenarios, the array of bytes carries claims about the person or object.
  2. In claims-based identity scenarios a token carries pieces of information about the user (claim) in addition to a digital signature that is applied (the token digitally signed) by the issuer. The signature is used to verify the source and protect the token from unauthorized changes. A claim can be a variety of information, such as the user’s name, age, and location are all claims within the token as an example.
  3. Tokens are issued by Security Token Service (STS) software in response to an authentication request by the user through the browser which results in a token request. The request is authenticated through a number of scenarios, such as a Kerberos ticket or with the user providing a username and password. The request is made on behalf of the user by the browser which asks the Security Token Service for a token containing claims for the user. [This request uses the standard WS-Trust protocol].The Security Token Service will request information about the user from the attribute store and return it to the Security Token Service where the token is issued and returned to the browser.In SharePoint Server 2010 the Windows Identity Foundation is the fundamental component behind the native Security Token Service which is a set of .NET Framework classes that implement essential identity functions to include receipt of tokens, digital signature verification, and accessing token claims – in addition Windows Identity Foundation is the foundation for ADFS 2.0. The Windows Identity Foundation also enables developers to write their own Security Token Services.SharePoint acts as an Identity Provider (Windows and FBA). The SharePoint STS is an implementation of WS-Trust
  4. Both SharePoint Foundation and SharePoint Server 2010 move to the claim based security model. SharePoint 2007 authentication model is now considered legacy (classic mode)
  5. Using Microsoft.IdentityModel.Claims
  6. In a claim-based identity scenario you will become familiar with seeing an encoded Id preceding usernames. This slide is intended to help you understand what the values in the encoded Id represent.
  7. In SharePoint Server 2010 two modes of authentication are provided, Classic Mode and Claims Mode Authentication. Classic Mode Authentication is what is referred to as Integrated Windows authentication where Active Directory authenticates the user and provides a token that SharePoint uses to get the SPUser object. The SPUser object is what SharePoint uses to perform authorization within the system. In a Claims Mode Authentication scenario we add a second step and take the existing tokens then convert them into SAML tokens and treat it as a unified system and use it within SharePoint as the SPUser object.
  8. New claims scenarios will drive support for non-Integrated Windows authentication scenarios with the Office client. The Office client supports these scenarios when the following conditions are met:Office 2007 with Service Pack 2 on Windows XP with Internet Explorer 8, Windows Vista with Service Pack 2 or optionally with Internet Explorer 8, and on Windows 7.Office 2010 on Windows XP with Internet Explorer 8, Windows Vista with Service Pack 2 or optionally with Internet Explorer 8, and on Windows 7.
  9. Find the &lt;Configuration&gt; &lt;system.web&gt; sectionAdd the following: (for LDAP provider)&lt;membership defaultProvider=&quot;AspNetSqlMembershipProvider&quot;&gt;      &lt;providers&gt;        &lt;add name=&quot;membership&quot;              type=&quot;Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5&quot;              server=&quot;redmond.corp.microsoft.com&quot;              port=&quot;389&quot;              useSSL=&quot;false&quot;              userDNAttribute=&quot;distinguishedName&quot;              userNameAttribute=&quot;sAMAccountName&quot;              userContainer=&quot;OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com&quot;              userObjectClass=&quot;person&quot;              userFilter=&quot;(&amp;amp;(ObjectClass=person))&quot;              scope=&quot;Subtree&quot;              otherRequiredUserAttributes=&quot;sn,givenname,cn&quot; /&gt;      &lt;/providers&gt;    &lt;/membership&gt;    &lt;roleManager enabled=&quot;true&quot; defaultProvider=&quot;AspNetWindowsTokenRoleProvider&quot; &gt;       &lt;providers&gt;        &lt;add name=&quot;roleManager&quot;              type=&quot;Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5&quot;             server=&quot;redmond.corp.microsoft.com&quot;              port=&quot;389&quot;             useSSL=&quot;false&quot;             groupContainer=&quot;DC=redmond,DC=corp,DC=microsoft,DC=com&quot;             groupNameAttribute=&quot;cn&quot;             groupNameAlternateSearchAttribute=&quot;samAccountName&quot;             groupMemberAttribute=&quot;member&quot;             userNameAttribute=&quot;sAMAccountName&quot;             dnAttribute=&quot;distinguishedName&quot;             groupFilter=&quot;(&amp;amp;(ObjectClass=group))&quot;             userFilter=&quot;(&amp;amp;(ObjectClass=person))&quot;             scope=&quot;Subtree&quot; /&gt;      &lt;/providers&gt; &lt;/roleManager&gt;
  10. Open up a SharePoint 4.0 Management Console Create a forms claims Authentication Provider&gt;$ap = New-SPAuthenticationProvider -ASPNETMembershipProvider &quot;membership&quot; -ASPNETRoleProviderName &quot;rolemanager&quot;Create a web application&gt;$wa = New-SPWebApplication -Name &quot;Claims Windows Web App&quot; -ApplicationPool &quot;Claims App Pool&quot; -ApplicationPoolAccount &quot;redmond\\appool&quot;  -Urlhttp://servername -Port 80 -AuthenticationProvider $ap*Note The ApplicationPoolAccount needs to be a managed account on the farmModify all Web.config files (Central Admin, Security Token Service, Forms Web App)
  11. So when we explore the concept of claims providers we basically have two API’s.The first is augmentation – with this an example would be if you build an application on SharePoint that wants to expose claims - you can put that piece code into SharePoint, for example, such as a CRM system that authorizes on the Sales Manager role. In Office SharePoint Server 2007 you would commonly use Security Groups or write a synchronization engine that copies the roles into a SharePoint Group.New scenarios allow you to take roles directly to security token using a database for example.The more common scenario is searching and resolving claims, basically, getting a user into SharePoint. We’ve made the People Picker more extensible as to what data is shows the user so we can enumerate claims and allow people to select Sales Managers and apply it to an ACL.
  12. These resources are provided to help you understand claims-based identity, providing additional reading and ways to participate in claims-based identity discussions.