Phuong Nguyen, profile picture
Uploaded byPhuong Nguyen
PPTX, PDF3,708 views

Claims Based Authentication A Beginners Guide

This document discusses claims authentication in SharePoint. It defines key terminology like claims, security tokens, and relying parties. It explains how claims work at a high level using an airport analogy. It then discusses how claims are used in SharePoint, including how the security token service handles claims. It also covers configuring forms-based authentication to use claims by setting up an authentication provider and making configuration changes in Central Administration, the security token service, and the web application.

Embed presentation

Downloaded 120 times
Claims Authentication Claims Authentication
AGENDA • What is Claims? • Claims in SharePoint • Configuring and Using Claims in SharePoint
My Trip Check In Counter Boarding Gate
Terminology • Identity: security principal (end user) • Authentication: act of establishing or confirming something • Authorisation: function of specifying access rights to resources • Claim: statement about an identity • Security Token: set of claims that are digitally signed by an issuing authority • Security Token Service (STS): builds, signs and issues security tokens • Identity Provider STS (IP-STS): authenticates and issues tokens • Relying Party: application that makes authorisation decisions based on claims • Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token
Claims at an Airport Boarding Gate Identity: security principal (end user)
Claims At An Airport Boarding Gate Relying Party: application that makes authorisation decisions based on claims
Claims At An Airport Boarding Gate Claim: statement about an identity “I am Thuan Le Cong” “My seat is 1c” 
Claims At An Airport Check In Counter Boarding Gate Identity Provider STS (IP-STS): authenticates and issues tokens
Claims At An Airport Name Seat Number Frequent Flyer Check In Counter Boarding Gate Security Token: set of claims that are digitally signed by an issuing authority
Claims at An Airport Check In Counter Boarding Gate
Terminology • Identity: security principal (end user) • Authentication: act of establishing or confirming something • Authorisation: function of specifying access rights to resources • Claim: statement about an identity • Security Token: set of claims that are digitally signed by an issuing authority • Security Token Service (STS): builds, signs and issues security tokens • Identity Provider STS (IP-STS): authenticates and issues tokens • Relying Party: application that makes authorisation decisions based on claims • Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token
Claims in SharePoint Security Token Service Check In Counter Boarding Gate SharePoint WFE
Why Claims? • Decouples SharePoint from Authentication • Support for multiple authentication providers on one URL • Enables federation
Zones Web Application – Classic Web Application – Claims Windows • Zone: Default Windows • Zone: Default FBA SAML • Zone: Intranet FBA • Zone: Intranet FBA Windows • Zone: Internet … • Zone: Internet • Zone: Extranet … • Zone: Extranet … … • Zone: Custom … • Zone: Custom
Authentication Model • Two Authentication Modes – Classic (“Legacy”) – Claims
Authentication methods • Windows Authentication: Uses the Windows infrastructure, providing support for NTML, Kerberos, Anonymous, Basic, and Digest authentication. • Forms-Based Authentication (FBA) Utilizes a username and password HTML form that queries a membership provider in the back- end. • SAML token-based Authentication Uses an external identity provider that supports SAML 1.1 and WS-Federation Passive profile.
Externalized Authentication
Claims-based Authentication
Browser Based Sign-IN
Identity Mapping CLASSIC CLAIMS FBA NT Token NT Token SAML1.1+ SQL, LDAP, Custom, Windows Identity Windows Identity ADFS, … … SAML Token Claims Based Identity SPUser
SPClaim i:0#.w|coastalpointsolthuanle • Claim Type – W = Windows – F = Forms Based Authentication – T = Trusted (SAML) • Issuer • Value • Value Type
Forms Based Authentication • Exposed through Claims – Claims Identity instead of Generic Identity • Implemented as a Claims Provider – Implement ValidateUser() • STS talks to membership provider to validate user and issues a claims token • Roles are converted to claims
Configure FBA Create Authentication Provider Configure Web Application to use Authentication Provider Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
Three Web.config Changes? Create Authentication Provider Configure Web Application to use Authentication Provider Add Membership/Role Provider web.config entries (CA, STS, FBA Web App) • Central Admin – Enable picking of principles from any provider • STS – Authenticate User – Get Roles of Users (convert to claims) • FBA Web Application – Enables People Picker
DEMO Claims Authentication
Summary • What is Claims? • How claims work in SharePoint • How to configure FBA
hopefully Questions and Answers ^

More Related Content

PDF
Understanding Claim based Authentication
byMohammad Yousri
 
PDF
Claim based authentaication
bySean Xiong
 
PDF
Developing custom claim providers to enable authorization in share point an...
byAntonioMaio2
 
PDF
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
byAntonioMaio2
 
PPTX
SharePoint Saturday Toronto July 2012 - Antonio Maio
byAntonioMaio2
 
PPTX
SharePoint Access Control and Claims Based Authentication
byJonathan Schultz
 
PPTX
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
byBrian Culver
 
PPTX
How to deploy SharePoint 2010 to external users?
byrlsoft
 
Understanding Claim based Authentication
byMohammad Yousri
 
Claim based authentaication
bySean Xiong
 
Developing custom claim providers to enable authorization in share point an...
byAntonioMaio2
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
byAntonioMaio2
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
byAntonioMaio2
 
SharePoint Access Control and Claims Based Authentication
byJonathan Schultz
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
byBrian Culver
 
How to deploy SharePoint 2010 to external users?
byrlsoft
 

What's hot

PPTX
Extending SharePoint 2010 to your customers and partners
byCorey Roth
 
PPTX
T28 implementing adfs and hybrid share point
byThorbjørn Værp
 
PPTX
Saml vs Oauth : Which one should I use?
byAnil Saldanha
 
PPTX
AD FS Workshop | Part 2 | Deep Dive
byGranikos GmbH & Co. KG
 
PPTX
Building Secure Extranets with Claims-Based Authentication #SPEvo13
byGus Fraser
 
PDF
Authentication through Claims-Based Authentication
byijtsrd
 
PPTX
Leveraging SharePoint for Extranets
byAvtex
 
PDF
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
byBrian Culver
 
PPTX
70 346 Managing office 365 identities
byclounoud
 
PPTX
The Who, What, Why and How of Active Directory Federation Services (AD FS)
byJay Simcox
 
PPTX
SharePoint 2013 and ADFS
byNatallia Makarevich
 
PPTX
Claim Based Authentication in SharePoint 2010 for Community Day 2011
byJoris Poelmans
 
PPTX
The bits and pieces of Azure AD B2C
byAnton Staykov
 
PPT
SSO_Good_Bad_Ugly
bySteve Markey
 
PDF
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
byBrian Culver
 
Extending SharePoint 2010 to your customers and partners
byCorey Roth
 
T28 implementing adfs and hybrid share point
byThorbjørn Værp
 
Saml vs Oauth : Which one should I use?
byAnil Saldanha
 
AD FS Workshop | Part 2 | Deep Dive
byGranikos GmbH & Co. KG
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
byGus Fraser
 
Authentication through Claims-Based Authentication
byijtsrd
 
Leveraging SharePoint for Extranets
byAvtex
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
byBrian Culver
 
70 346 Managing office 365 identities
byclounoud
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
byJay Simcox
 
SharePoint 2013 and ADFS
byNatallia Makarevich
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
byJoris Poelmans
 
The bits and pieces of Azure AD B2C
byAnton Staykov
 
SSO_Good_Bad_Ugly
bySteve Markey
 
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
byBrian Culver
 

Viewers also liked

PDF
Deciphering 'Claims-based Identity'
byOliver Pfaff
 
PDF
Hacking Journalism: Using the Internet to Save the World
byDaniel Schultz
 
PDF
The world of encryption
byMohammad Yousri
 
PPTX
Hack ASP.NET website
byPositive Hack Days
 
PDF
The what, why, and how of master data management
byMohammad Yousri
 
PPT
Master Data Management
bySung Kuan
 
PPTX
Migrating Existing Applications to AWS Cloud
byjineshvaria
 
Deciphering 'Claims-based Identity'
byOliver Pfaff
 
Hacking Journalism: Using the Internet to Save the World
byDaniel Schultz
 
The world of encryption
byMohammad Yousri
 
Hack ASP.NET website
byPositive Hack Days
 
The what, why, and how of master data management
byMohammad Yousri
 
Master Data Management
bySung Kuan
 
Migrating Existing Applications to AWS Cloud
byjineshvaria
 

Similar to Claims Based Authentication A Beginners Guide

PDF
SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication
byBrian Culver
 
PPTX
Share point security 101 sps-ottawa 2012 - antonio maio
byAntonioMaio2
 
PPTX
Thomas vochten claims-spsbe26
byBIWUG
 
PPTX
Claims Based Identity In Share Point 2010
bySteve Sofian
 
PPTX
Troubleshooting Federation, ADFS, and More
byMicrosoft TechNet - Belgium and Luxembourg
 
PDF
Claims based authentication in SharePoint 2010 - SharePoint Saturday Vietnam
byOfficience
 
PDF
Introduction to claims based authentication in share point 2010
byOfficience
 
PPTX
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
byLiam Cleary [MVP]
 
PPT
Presentation sso design_security
byMarco Morana
 
PPTX
DD109 Claims Based AuthN in SharePoint 2010
bySpencer Harbar
 
PPTX
SharePoint, ADFS and Claims Auth
byKashif Imran
 
PPTX
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
byMichael Noel
 
DOCX
Srs sso-version-1.2-stable version
byShahzad
 
PPTX
HAD05: Collaborating with Extranet Partners on SharePoint 2010
byMichael Noel
 
PPTX
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
byMichael Noel
 
PDF
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
byMichael Collier
 
PDF
Open sso fisl9.0
byStartup Cursos
 
PPTX
SPSBE 2013 Claims for devs
bySteven Van de Craen
 
PPTX
SharePoint Authentication And Authorization SPTechCon San Francisco
byLiam Cleary [MVP]
 
PDF
Claims based identity second edition device
bySteve Xu
 
SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication
byBrian Culver
 
Share point security 101 sps-ottawa 2012 - antonio maio
byAntonioMaio2
 
Thomas vochten claims-spsbe26
byBIWUG
 
Claims Based Identity In Share Point 2010
bySteve Sofian
 
Troubleshooting Federation, ADFS, and More
byMicrosoft TechNet - Belgium and Luxembourg
 
Claims based authentication in SharePoint 2010 - SharePoint Saturday Vietnam
byOfficience
 
Introduction to claims based authentication in share point 2010
byOfficience
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
byLiam Cleary [MVP]
 
Presentation sso design_security
byMarco Morana
 
DD109 Claims Based AuthN in SharePoint 2010
bySpencer Harbar
 
SharePoint, ADFS and Claims Auth
byKashif Imran
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
byMichael Noel
 
Srs sso-version-1.2-stable version
byShahzad
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
byMichael Noel
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
byMichael Noel
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
byMichael Collier
 
Open sso fisl9.0
byStartup Cursos
 
SPSBE 2013 Claims for devs
bySteven Van de Craen
 
SharePoint Authentication And Authorization SPTechCon San Francisco
byLiam Cleary [MVP]
 
Claims based identity second edition device
bySteve Xu
 

More from Phuong Nguyen

PPTX
Development mobile app cross device
byPhuong Nguyen
 
DOCX
New Features In Power Pivot 2010
byPhuong Nguyen
 
DOCX
Summary Project Server Psi
byPhuong Nguyen
 
DOCX
Customize Olap By Amo
byPhuong Nguyen
 
PPTX
Use Amo To Customize Olap In Project Server
byPhuong Nguyen
 
PPTX
ECM And Enterprise Metadata in SharePoint 2010
byPhuong Nguyen
 
PPTX
Share Point Development With Vs10
byPhuong Nguyen
 
PPTX
Share Point 2010 Workflow
byPhuong Nguyen
 
PPTX
Workflow
byPhuong Nguyen
 
Development mobile app cross device
byPhuong Nguyen
 
New Features In Power Pivot 2010
byPhuong Nguyen
 
Summary Project Server Psi
byPhuong Nguyen
 
Customize Olap By Amo
byPhuong Nguyen
 
Use Amo To Customize Olap In Project Server
byPhuong Nguyen
 
ECM And Enterprise Metadata in SharePoint 2010
byPhuong Nguyen
 
Share Point Development With Vs10
byPhuong Nguyen
 
Share Point 2010 Workflow
byPhuong Nguyen
 
Workflow
byPhuong Nguyen
 

Claims Based Authentication A Beginners Guide

  • 1.
    Claims Authentication Claims Authentication
  • 2.
    AGENDA • What isClaims? • Claims in SharePoint • Configuring and Using Claims in SharePoint
  • 3.
    My Trip Check InCounter Boarding Gate
  • 4.
    Terminology • Identity: security principal (end user) • Authentication: act of establishing or confirming something • Authorisation: function of specifying access rights to resources • Claim: statement about an identity • Security Token: set of claims that are digitally signed by an issuing authority • Security Token Service (STS): builds, signs and issues security tokens • Identity Provider STS (IP-STS): authenticates and issues tokens • Relying Party: application that makes authorisation decisions based on claims • Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token
  • 5.
    Claims at anAirport Boarding Gate Identity: security principal (end user)
  • 6.
    Claims At AnAirport Boarding Gate Relying Party: application that makes authorisation decisions based on claims
  • 7.
    Claims At AnAirport Boarding Gate Claim: statement about an identity “I am Thuan Le Cong” “My seat is 1c” 
  • 8.
    Claims At AnAirport Check In Counter Boarding Gate Identity Provider STS (IP-STS): authenticates and issues tokens
  • 9.
    Claims At AnAirport Name Seat Number Frequent Flyer Check In Counter Boarding Gate Security Token: set of claims that are digitally signed by an issuing authority
  • 10.
    Claims at AnAirport Check In Counter Boarding Gate
  • 11.
    Terminology • Identity: security principal (end user) • Authentication: act of establishing or confirming something • Authorisation: function of specifying access rights to resources • Claim: statement about an identity • Security Token: set of claims that are digitally signed by an issuing authority • Security Token Service (STS): builds, signs and issues security tokens • Identity Provider STS (IP-STS): authenticates and issues tokens • Relying Party: application that makes authorisation decisions based on claims • Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token
  • 12.
    Claims in SharePoint SecurityToken Service Check In Counter Boarding Gate SharePoint WFE
  • 13.
    Why Claims? • DecouplesSharePoint from Authentication • Support for multiple authentication providers on one URL • Enables federation
  • 14.
    Zones Web Application –Classic Web Application – Claims Windows • Zone: Default Windows • Zone: Default FBA SAML • Zone: Intranet FBA • Zone: Intranet FBA Windows • Zone: Internet … • Zone: Internet • Zone: Extranet … • Zone: Extranet … … • Zone: Custom … • Zone: Custom
  • 15.
    Authentication Model • TwoAuthentication Modes – Classic (“Legacy”) – Claims
  • 16.
    Authentication methods • WindowsAuthentication: Uses the Windows infrastructure, providing support for NTML, Kerberos, Anonymous, Basic, and Digest authentication. • Forms-Based Authentication (FBA) Utilizes a username and password HTML form that queries a membership provider in the back- end. • SAML token-based Authentication Uses an external identity provider that supports SAML 1.1 and WS-Federation Passive profile.
  • 17.
  • 18.
  • 19.
  • 20.
    Identity Mapping CLASSIC CLAIMS FBA NT Token NT Token SAML1.1+ SQL, LDAP, Custom, Windows Identity Windows Identity ADFS, … … SAML Token Claims Based Identity SPUser
  • 21.
    SPClaim i:0#.w|coastalpointsolthuanle • Claim Type – W = Windows – F = Forms Based Authentication – T = Trusted (SAML) • Issuer • Value • Value Type
  • 22.
    Forms Based Authentication •Exposed through Claims – Claims Identity instead of Generic Identity • Implemented as a Claims Provider – Implement ValidateUser() • STS talks to membership provider to validate user and issues a claims token • Roles are converted to claims
  • 23.
    Configure FBA Create AuthenticationProvider Configure Web Application to use Authentication Provider Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
  • 24.
    Three Web.config Changes? Create Authentication Provider Configure Web Application to use Authentication Provider Add Membership/Role Provider web.config entries (CA, STS, FBA Web App) • Central Admin – Enable picking of principles from any provider • STS – Authenticate User – Get Roles of Users (convert to claims) • FBA Web Application – Enables People Picker
  • 25.
  • 26.
    Summary • What isClaims? • How claims work in SharePoint • How to configure FBA
  • 27.