Danny Jessee's presentation on Claims-based identity in SharePoint 2010 for SharePoint Saturday Virginia Beach (SPSVB) January 7, 2012.

1. A real-world perspective on Claims-Based Identity in SharePoint 2010

3.  SharePoint Evangelist at Circinus
 Northern Virginia-based SDVOSB
 Senior developer on SharePoint deployments for
government and DoD customers since 2004
 I get involved with administration when I have to…
 MCPD – SharePoint Developer 2010
 MCTS – SharePoint 2010 Configuration
 CloudShare Honorary MVP for 2011
 Twitter: @dannyjessee
 Blog: http://dannyjessee.com/blog

4.  Features of a Secure Application
 SharePoint 2010 Authentication Options
 Claims Terminology/Technology Overview
 Demos
 New SharePoint 2010 Web Application
 Azure AppFabric ACS Trusted Identity Provider – Facebook
 Further integration of Facebook with SharePoint
 Claims “Gotchas”
 General issues for all Claims implementations
 Migration issues from MOSS to SharePoint 2010
 Claims Behaving Badly
 Recommendations

5.  Authentication is the process of validating a
user’s identity
 SharePoint never performs authentication
 If the login prompt keeps appearing, think
authentication issue!
 Unless it’s the dreaded
loopback check!

6.  Authorization is the process of determining
the resources, features, etc. to which a user
has access
 If you see “Access Denied” errors, think
authorization issue!

7.  The single biggest decision of your life!
 TechNet guidance:
 “For new implementations of SharePoint Server
2010, you should consider claims-based
authentication.”

8.  Claims Based Authentication (Tokens)
 Windows Authentication: NTLM/Kerberos, Basic
 Forms-Based Authentication (ASP.NET
Membership provider and Role manager)
 Trusted Identity providers
 Custom sign-in page
 Classic Mode Authentication (“Old School”)
 Windows Authentication (NTLM/Kerberos) only
 Both map authenticated users to SPUser
objects (security principals)

9.  What is a claim?
 A piece of information describing a user
▪ Name
▪ Email Address
▪ Role/Group membership
▪ Age
▪ Hire Date
 Whose claims do I trust, and which claims
affect authorization decisions I make?

10.  Token
 Serialized set of claims about an authenticated user,
digitally signed by the token’s issuer
 Identity Provider-Security Token Service (IP-STS)
 Validates user credentials
 Builds, signs, and issues tokens containing claims
 Relying party (RP)
 Applications that makes authorization decisions based
on claims (SharePoint 2010)

11.  Decoupling of authentication logic from
authorization and personalization logic
 Applications no longer need to determine who the
user is, they receive claims identifying the user
 Great for developers who rarely want to work
with identity!
 Provides a common way for applications to
acquire the identity information they need
about users

12. 1. “I’d like to access the budget document.”
2. “Not until you can prove to me that you
are in the Finance group.”
3. “Here is my user ID and password.”
4. “Hi, Danny. I see you are in the Finance
group. Here is a token you can use.”
5. “I’d like to access the budget document,
and here’s proof I have access to it!”
SharePoint 2010

13.  WS-Trust, WS-Federation, SAML
 Requesting/receiving tokens
 XML representation of claims
 These emerging technologies have been around
for awhile
 Their use in Claims-Based Identity represents a new
approach for handling identity in applications
 Great potential in corporate environments
▪ Active Directory Federation Services, external LDAP, etc.
 Great potential as we move to the cloud
▪ Azure ACS: Facebook, Google, Windows Live ID, etc.

15.  Visual Web Part
 Code behind:
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
Page.DataBind();
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32

16.  Similar to FBA setup for MOSS, with some
exceptions:
 Authentication provider does not need to be
mapped to a separate zone
 One additional Web.config to modify:
▪ C:Program FilesCommon FilesMicrosoft SharedWeb
Server Extensions14WebServicesSecurityToken
▪ Add entries for connection string, Membership provider,
Role manager
▪ Same modifications for Central Admin and web app

17.  Allows users to choose how to authenticate
when multiple providers are configured
(Mixed Authentication)
 Custom code opportunity
 http://www.orbitone.com/en/blog/archive/2010/06/23/
sharepoint-2010-mixed-authentication-automatic-
login.aspx

18. Demo #1

20.  Cloud-based service that provides an easy
way of authenticating and authorizing users
to gain access to web applications
 Includes support for Windows Live ID,
Google, Yahoo, and Facebook
 Includes support for Active Directory
Federation Services (AD FS) 2.0
 Simple browser-based management portal
 $1.99/100k transactions (free until Nov. 30!)

21.  Three things must be done to add support for
Facebook login to SharePoint:
1. Create a Facebook application
 https://developers.facebook.com/apps
2. Configure ACS for Facebook support
 Permissions you will request from Facebook users
 Relying Party application and Rule Group setup
3. Configure ACS as a Trusted Identity Provider
in SharePoint

22. Demo #2

23.  Click “Create New App”
 Provide Display Name and Namespace
 Note App ID and App Secret values
 Provide Website URL to ACS

24. Demo #3

25.  From the ACS management portal, add a new
Identity Provider

26.  Enter App ID and App Secret values from
Facebook application you created earlier
 Enter a comma-delimited list of Application
Permissions you want to request
 https://developers.facebook.com/docs/reference/
api/permissions/
 In our demo, we will request:
 email,user_location,user_hometown,user_website,
user_work_history,publish_stream,user_birthday,
friends_birthday

27.  Permissions you request will be displayed to
the end user the first time they log in
 Request the minimum subset of permissions
you will need
 Users are more likely to reject bigger requests

28.  Generate Rule Group
 Named set of claim rules that define which
identity claims are passed from identity providers
to your relying party application
 SharePoint will still need to be configured to
make use of these claims

29.  Configure Relying Party application
 Provide Name, Realm, and Return URL
 Return URL: Realm + /_trust

30.  Choose SAML 1.1 token format
 Update Token lifetime to >600 seconds
 Select Identity providers and Rule groups

31.  Generate self-signed certificate
 C:Program FilesMicrosoft Office
Servers14.0Tools>MakeCert.exe -r -pe -n
"CN=dannyjessee.accesscontrol.windows.net"
-sky exchange -ss my
 Self-signed, exportable, subject key type
“exchange,” store in my personal certificate store
 Development only! Please use a legitimate
certificate in production!

32.  Upload this certificate (.pfx format) as the
Token Signing Certificate in ACS

33. Demo #4

34.  New-SPTrustedRootAuthority
 Name, Certificate (self-signed .cer made earlier)
 New-SPClaimTypeMapping
 IncomingClaimType
 IncomingClaimTypeDisplayName
 LocalClaimType (or SameAsIncoming)
 New-SPTrustedIdentityTokenIssuer
 Name, Realm, ImportTrustCertificate
 ClaimsMappings, SignInUrl, IdentifierClaim

35.  Running this PowerShell script will add
“Azure ACS v2” to the list of Trusted Identity
Providers
 Eligible to be added to Claims-based web
applications in Central Administration

36. Demo #5

37.  All claims whose OriginalIssuer is
TrustedProvider:Azure ACS v2
 AccessToken is the key to all user data

38.  http://facebooksdk.codeplex.com
 Encapsulates calls to the Facebook Graph API
 https://developers.facebook.com/docs/reference/
api/
 Retrieve data about the user and his/her friends
 Upload photos/videos, post status messages
 Data returned from Facebook in JSON format
 Requests to https://graph.facebook.com/...
▪ me/feed, me/friends, me/photos, me/videos

39.  SharePoint maintains its own certificate store
where separate trusts must be configured
 http://dannyjessee.com/blog/index.php/2011/
12/required-trust-relationships-for-the-
facebook-c-sdk-in-sharepoint-2010/
 Need to upload two certificates into
SharePoint (CA > Security > Manage Trust):
 DigiCert High Assurance EV Root CA
 DigiCert High Assurance CA-3

40. Demo #6

41.  Code snippets in these slides are not
complete
 Do not include proper error checking/handling
 Do not include RunWithElevatedPrivileges()
delegates where appropriate
 Please download the code
 Do not copy and paste from these slides
 I will Tweet the link and update this slide deck to
include it

42.  Returned in a claim from Facebook
 A new AccessToken is issued each login
 Our key to all of the data about the logged in user
 Required for all calls to the Facebook Graph API
 Two hour lifetime by default
 To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag
 web.AllProperties[“fbAccessToken_{loginname}”]
 AllProperties required for case sensitivity

43.  Changing to
 Initial display name for the SPUser is in Claims-
encoded format (more on this later)
 Want to make this more user-friendly
if (SPContext.Current.Web.CurrentUser == null)
{
SPUser user = web.EnsureUser("i:" + claimsIdentity.Name);
currentUser.Name = givenName;
currentUser.Update();
}

44. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
JsonObject location = me["location"] as JsonObject;
myLocation = (string)location["name"];
 myLocation is in City, State format
 Parsed and sent to Weather Underground API
 http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/
[city].json

45. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
SPList lstContacts = web.Lists["Contacts"];
SPListItem item = lstContacts.Items.Add();
item["First Name"] = (string)me["first_name"];
item["Last Name"] = (string)me["last_name"];
JsonArray work = me["work"] as JsonArray;
// Most recent/current employer stored in work[0]
JsonObject company = work[0] as JsonObject;
JsonObject employer = company["employer"] as JsonObject;
JsonObject position = company["position"] as JsonObject;
item["Company"] = (string)employer["name"];
item["Job Title"] = (string)position["name"];
item.SystemUpdate();

46. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)
client.Get("me/friends?fields=name,birthday");
JsonArray friendData = me["data"] as JsonArray;
foreach (JsonObject friend in friendData)
{
if (friend.ContainsKey("birthday"))
{
/* Some users share MM/DD of birthday, others share
MM/DD/YYYY
We only care about MM/DD for our purposes, and
Facebook always pads with leading zeros */
string birthday = (string)friend["birthday"];
birthMonth = int.Parse(birthday.Substring(0, 2));
birthDate = int.Parse(birthday.Substring(3, 2));
...

47. SPList lstCalendar = web.Lists["Calendar"];
SPListItem birthdayItem = lstCalendar.Items.Add();
birthdayItem["Title"] = name + (name.EndsWith("s") ? "' birthday" :
"'s birthday");
birthdayItem["EventDate"] = dtBirthday;
birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;
birthdayItem[SPBuiltInFieldId.EventType] = 1;
birthdayItem[SPBuiltInFieldId.fRecurrence] = true;
birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;
string recurrence =
"<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +
"<repeat><yearly yearFrequency='1' month='" + birthMonth.ToString()
+ "' day='" + birthDate.ToString() + "' /></repeat>" +
"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";
birthdayItem["RecurrenceData"] = recurrence;
birthdayItem.SystemUpdate();

48. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object>();
dict.Add("message", "I just posted this from SharePoint!");
dict.Add("link",
"http://sharepointsaturday.org/virginiabeach");
dict.Add("picture",
"http://sharepointsaturday.org/virginiabeach/SiteImages/Shar
ePointSat2VA-emaillarge.png");
dict.Add("name", "SharePoint Saturday Virginia Beach");
dict.Add("caption", "January 7, 2012");
dict.Add("description", "Come see my presentation about
Claims-Based Identity in SharePoint 2010 at SPSVB!");
client.PostAsync("me/feed", dict);

49. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "title", "I know how to post videos to
Facebook...from SharePoint!" },
{ "description", "See more at SPSVB Saturday, January
7, 2012!" },
{ "vid1", new FacebookMediaObject { ContentType =
"video/x-flv", FileName = "facebook.flv"
}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }
};
client.PostAsync("me/videos", dict);

50.  Silverlight application courtesy MossLover
 Interfaces with the user’s webcam, saves
captured images to document library

51.  Added event handler to upload to Facebook
string contentType = "image/jpeg";
var client = new Facebook.FacebookClient(fbAccessToken);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "message", "Uploaded picture from Silverlight webcam
image capture in SharePoint!" },
{ "pic1", new FacebookMediaObject { ContentType =
contentType, FileName = properties.ListItem.File.Name
}.SetValue(properties.ListItem.File.OpenBinary()) }
};
client.PostAsync("me/photos", dict);

53.  General issues for all Claims implementations
 Search crawler requires NTLM in the zone it uses
 “People picker” is more of a Claims “expression
editor”
▪ Custom code opportunity
 User Profiles
▪ LDAP or BCS connection to authentication store
 Office client integration (2007 SP2+, 2010)
▪ IE 8+: Trusted Sites
 No document previews with FAST Search

54. “After migrating to Claims in
SharePoint 2010, most of our users
were able to log in some of the time.”
—A less-than-thrilled system administrator

55.  Migration from MOSS to SharePoint 2010
 Migrate FBA Users
▪ $wa = get-SPWebApplication $WebAppName
▪ $wa.MigrateUsers($true)
 Portalsuperuser and Portalsuperreader properties
need to be updated to reflect Claims-encoded format
▪ $wa.Properties["portalsuperuseraccount"] =
"i:0#.w|domainapppool"
▪ $wa.Properties["portalsuperreaderaccount"] =
"i:0#.w|domainapppool"
▪ $wa.Update()
 Must migrate all providers from MOSS to 2010
▪ i.e., NTLM and FBA if both existed prior to migration

56.  “Funky” display of usernames
 i:0#.w|SHRPNTAdministrator
 i:0#.f|CustomMembershipProvider|username
 i:0#.t|selfsts|test@contoso.com
▪ i: Microsoft.SharePoint.Administration.Claims.
SPClaimsAuthMembershipProvider (Web.config)
▪ windows, forms, trusted Identity Provider

57.  Set DisplayName property of SPUser
 $user = Get-SPUser -Web http://abc.shrpnt.loc
-Identity
"i:0#.f|CustomMembershipProvider|username"
 $user.DisplayName = "John Doe"
 $user.Update()
 Can also be done via SharePoint object model

58.  Session expiration issues with SAML Claims
 Users can come back to the page hours later
without having to log in again
 SharePoint creates a FedAuth cookie (written to
disk) that is not a Session cookie by default
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.UseSessionCookies = $true
▪ $sts.Update()

59.  Continuous redirection to/from login page
 This can happen when the TokenLifetime is less
than the LogonTokenCacheExpirationWindow
▪ Default LogonTokenCacheExpirationWindow in
SharePoint 2010 STS is 10 minutes
▪ Default Token Lifetime in Azure ACS is also 10 minutes
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 1)
▪ $sts.Update()

60.  Go to the login page, enter valid credentials,
press the “Log In” button, and…get
redirected back to the login page (once)
 Check the ULS logs!
▪ Could be token expiration timeout
▪ Could be something else

61.  SPSecurityTokenService.Issue() failed:
System.Runtime.InteropServices.
COMException (0x800703FA): Retrieving the
COM class factory for component with CLSID
{BDEADF26-C265-11D0-BCED-00A0C90AB50F}
failed due to the following error: 800703FA.
 GPEdit: Computer Configuration > Administrative
Templates > System > User Profiles
▪ Do not forcefully unload the users registry at user logoff
> Set to “Enabled”

63.  Stick with Classic Mode Authentication if you
are deploying SharePoint into a “simple”
Active Directory environment
 Particularly if strict security controls are in place
that are beyond your control
 Especially if you are only migrating from Windows
authentication in MOSS
 Once you go to Claims, you can’t go back!

64.  If you must use Claims for your Extranet,
try to minimize the number of zones/host
headers used
 Default zone should be most secure
 Have a good “troubleshooter’s toolbox”
 ULS Log Viewer
 Fiddler
 Claims Viewer web part

67.  Shane Young – my hero!
 http://sharepoint911.com
 Plan Authentication Methods
(SharePoint Server 2010)
 http://technet.microsoft.com/en-
us/library/cc262350.aspx
 A Guide to Claims-Based Identity and Access
Control (Microsoft Patterns and Practices)
 http://claimsid.codeplex.com/

68.  Writing Claims Providers for SharePoint 2010
 http://msdn.microsoft.com/en-
us/library/ff699494.aspx
 Implementing Claims-Based Authentication
with SharePoint Server 2010
 http://www.microsoft.com/download/en/details.a
spx?id=27569

69.  Transparent Login with Mixed Authentication
 http://www.orbitone.com/en/blog/archive/2010/0
6/23/sharepoint-2010-mixed-authentication-
automatic-login.aspx
 C# Facebook SDK
 http://facebooksdk.codeplex.com
 Azure ACS and Facebook
 http://msdn.microsoft.com/en-
us/library/gg185967.aspx

70.  Steve Peschka
 http://blogs.technet.com/b/speschka/archive/201
0/06/12/migrating-a-web-application-from-
windows-classic-to-windows-claims-in-
sharepoint-2010.aspx
 http://msdn.microsoft.com/en-
us/library/hh147183.aspx
 Project Server Blog (GREAT tips for migrating
to Claims here!!!)
 http://nearbaseline.com.au/blog/tag/claims/

71.  SelfSTS and Vittorio Bertocci
 http://archive.msdn.microsoft.com/SelfSTS
 http://blogs.msdn.com/b/vbertocci/archive/2010/0
8/23/selfsts-when-you-need-a-saml-token-now-
right-now.aspx
 Paul Schaeflein
 http://www.schaeflein.net/blog/Lists/Posts/Post.a
spx?ID=4

72.  Claims Viewer web part
 http://blogs.pointbridge.com/Blogs/nielsen_travis
/Pages/Post.aspx?_ID=32
 Fiddler
 http://www.fiddler2.com/fiddler2/
 SharePoint ULS Log Viewers
 http://sharepointlogviewer.codeplex.com/
 http://ulsviewer.codeplex.com/

73.  Azure ACS Integration
 http://blogs.objectsharp.com/cs/blogs/steve/archi
ve/2011/04/21/windows-azure-access-control-
services-federation-with-facebook.aspx
 http://www.7388.info/index.php/article/studio/201
1-07-29/20983.html
 Robert Bogue
 http://www.sharepointshepherd.com