SlideShare a Scribd company logo
Extending Authentication and
Authorization
Edin Kapić
Edin Kapić
• SharePoint Senior Architect &
Team Lead in Sogeti,
Barcelona
• President of SharePoint User
Group Catalonia (SUG.CAT)
• Writer at Pluralsight
• SharePoint Server Office
Servers and Services MVP
• Tinker & geek
Email : mail@edinkapic.com
Twitter : @ekapic
LinkedIn : edinkapic
Agenda
• SharePoint, Authentication and Authorization
• Claims
• Claims-based Authentication
• Claims-based Authorization
• Claims Augmentation and Transformation
• Claims Providers
• Federated Authentication
SharePoint, Authentication & Authorization
SharePoint Web App
Authentication
Provider
SPUser
Site Collection
Site
SPRoleAssignment
Authentication
Authorization
SharePoint Authentication
• SharePoint doesn’t authenticate by
itself
• It keeps user details in the user
profile database and user
information lists in each site
collection
SharePoint Authorization
• Associated with principals
• Authenticated users
• Groups (SharePoint or AD)
• Claims
• App Add-in identities
SharePoint 2013 Authentication Options
• “Classic” Windows
• Deprecated
• Claims-based
• Windows tokens
• FBA
• SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser
App Add-In Authentication
• Add-ins have identity and can be assigned permissions
• Add-ins are principals, together with users and groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate
• Low-trust add-ins use 3-legged OAuth (with ACS broker)
• High-trust add-ins use self-signed tokens
Claims
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting credentials to a claims provider
• Claims providers are trusted
• Examples
• Employee badge
• Name, department, clearance
• Boarding passes
• Flight, seat, class, name
• Paper Wristbands
• Ticket type, extra services
Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea
SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.org
/ws/2005/05/identity/claim
s/nameidentifier
demoekapic SharePoint SharePoint
http://schemas.xmlsoap.org
/ws/2008/06/identity/claim
s/primarysid
S-1-5-21-4067827123-
213488314-8760374-
513
SharePoint Windows
http://schemas.xmlsoap.org
/ws/2005/05identity/claims
/upn
ekapic@demo.local SharePoint Windows
http://schemas.microsoft.co
m/sharepoint/2009/08/clai
ms/userid
0#.w|demoekapic SharePoint SecurityTokenService
Claims Authentication
• SharePoint augments and transforms the incoming claims to a
normalized claims identity
• Can be done by more than one claims provider
• Decouples the authentication method from the user identity
• For Windows incoming claims, there is a C2WTS (Claims to Windows
Token Service) inside SharePoint 2013 to allow converting claims back
into Windows identities
Claims Authorization
• Any claim can be used as a
security principal in SharePoint
• Flexible alternative to security
groups
• Claims can be surfaced by the
identity token service or custom
claims provider in People Picker
Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class
Claims Augmentation and Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
SupportsEntityInformation
Claims surfacing in People Picker FillSchema
FillClaimTypes
FillClaimValueTypes
FillEntityTypes
Claims hierarchy in People Picker left side FillHierarchy
SupportsHierarchy
Resolving typed claims in People Picker FillResolve
SupportsResolve
Searching for claims in People Picker FillSearch
SupportsSearch
DEMO
Custom Claim Provider
Federated Authentication
• When the identity provider (IdP) is distinct from Windows (or FBA),
we have federated authentication
• Third-party Secure Token Service (STS) issues a security token with
claims
• This token is trusted by “clients” (Relying Parties, RP) as the STS is
trusted by them
• Tokens are digitally signed
Federated Authentication
• ID cards or passports are
real-world examples of
federated authentication
Federated Identity Providers
• Microsoft Active Directory Federation
Services (ADFS)
• Microsoft Azure Active Directory
• Thinktecture IdentityServer
• Shibboleth
• IBM Federated Identity Manager
• ...
Active Directory Federation Services (ADFS)
• Part of Windows Server
features
• Can transform AD into a
federated IdP
• Doesn’t manage users
directly, but claims,
identity providers and
relying parties
Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365 offering
• Underpins the most of the Office
365 / Azure hybrid architectures
Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity Framework
• Modular architecture
DEMO
Federated Authentication with
ADFS
Summary
• Claims-based identity and authorization are the only way forward, so
make sure that you understand them well
• You can decouple user authentication from the user identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else
Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control
https://msdn.microsoft.com/en-us/library/ff423674.aspx
Thank you!
Tack så mycket!

More Related Content

What's hot

DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
Anton Staykov
 
SharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSharePoint 2013 APIs demystified
SharePoint 2013 APIs demystified
SPC Adriatics
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Chris Gillum
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2C
John Garland
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
James Tramel
 
DevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easyDevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easy
Sjoukje Zaal
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
Sjoukje Zaal
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
NCCOMMS
 
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easyIntelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Sjoukje Zaal
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
Manoj Mittal
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
Identity Management in SharePoint 2013
Identity Management in SharePoint 2013Identity Management in SharePoint 2013
Identity Management in SharePoint 2013
SPC Adriatics
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
Azure B2C
Azure B2CAzure B2C
Azure B2C
Marco De Sanctis
 
Azure Saturday: External Collaboration With Azure AD B2B
Azure Saturday:  External Collaboration With Azure AD B2BAzure Saturday:  External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2B
Sjoukje Zaal
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
Natallia Makarevich
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
Corey Roth
 

What's hot (19)

DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
SharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSharePoint 2013 APIs demystified
SharePoint 2013 APIs demystified
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2C
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
 
DevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easyDevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easy
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
 
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easyIntelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easy
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
Identity Management in SharePoint 2013
Identity Management in SharePoint 2013Identity Management in SharePoint 2013
Identity Management in SharePoint 2013
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
Azure B2C
Azure B2CAzure B2C
Azure B2C
 
Azure Saturday: External Collaboration With Azure AD B2B
Azure Saturday:  External Collaboration With Azure AD B2BAzure Saturday:  External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2B
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 

Similar to ESPC15 - Extending Authentication and Authorization

Extending Authentication and Authorization
Extending Authentication and AuthorizationExtending Authentication and Authorization
Extending Authentication and Authorization
Edin Kapic
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision IT
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
Liam Cleary [MVP]
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision IT
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision IT
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
Joonas Westlin
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
Liam Cleary [MVP]
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
Morgan Simonsen
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
Liam Cleary [MVP]
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
Liam Cleary [MVP]
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devs
Steven Van de Craen
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
NCCOMMS
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
NCCOMMS
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
Microsoft 365 Developer
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
zmulani8
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
Kashif Imran
 
Envision it SharePoint Extranet Webinar Series - Extranet User Provisioning
Envision it SharePoint Extranet Webinar Series  - Extranet User ProvisioningEnvision it SharePoint Extranet Webinar Series  - Extranet User Provisioning
Envision it SharePoint Extranet Webinar Series - Extranet User Provisioning
Envision IT
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010
Jonathan Schultz
 

Similar to ESPC15 - Extending Authentication and Authorization (20)

Extending Authentication and Authorization
Extending Authentication and AuthorizationExtending Authentication and Authorization
Extending Authentication and Authorization
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devs
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Envision it SharePoint Extranet Webinar Series - Extranet User Provisioning
Envision it SharePoint Extranet Webinar Series  - Extranet User ProvisioningEnvision it SharePoint Extranet Webinar Series  - Extranet User Provisioning
Envision it SharePoint Extranet Webinar Series - Extranet User Provisioning
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010
 

More from Edin Kapic

Rx la joya oculta de Net
Rx la joya oculta de NetRx la joya oculta de Net
Rx la joya oculta de Net
Edin Kapic
 
Personal Branding for Developers
Personal Branding for DevelopersPersonal Branding for Developers
Personal Branding for Developers
Edin Kapic
 
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
Edin Kapic
 
ESPC14 Social Business Value Demystified
ESPC14 Social Business Value DemystifiedESPC14 Social Business Value Demystified
ESPC14 Social Business Value Demystified
Edin Kapic
 
Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014
Edin Kapic
 
MVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human BehaviourMVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human Behaviour
Edin Kapic
 
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 AppSPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
Edin Kapic
 
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
Edin Kapic
 
Social Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World ExperiencesSocial Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World Experiences
Edin Kapic
 
BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!
Edin Kapic
 
BcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMSBcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMS
Edin Kapic
 
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitectoBcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
Edin Kapic
 
Modelos de madurez de SharePoint
Modelos de madurez de SharePointModelos de madurez de SharePoint
Modelos de madurez de SharePoint
Edin Kapic
 
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
Edin Kapic
 
SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012
Edin Kapic
 
JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#
Edin Kapic
 
CatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePointCatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePoint
Edin Kapic
 
Universidad de La Habana - SharePoint, Listas y XSLT
Universidad de La Habana  - SharePoint, Listas y XSLTUniversidad de La Habana  - SharePoint, Listas y XSLT
Universidad de La Habana - SharePoint, Listas y XSLT
Edin Kapic
 
SharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developereSharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developere
Edin Kapic
 

More from Edin Kapic (19)

Rx la joya oculta de Net
Rx la joya oculta de NetRx la joya oculta de Net
Rx la joya oculta de Net
 
Personal Branding for Developers
Personal Branding for DevelopersPersonal Branding for Developers
Personal Branding for Developers
 
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
 
ESPC14 Social Business Value Demystified
ESPC14 Social Business Value DemystifiedESPC14 Social Business Value Demystified
ESPC14 Social Business Value Demystified
 
Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014
 
MVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human BehaviourMVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human Behaviour
 
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 AppSPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
 
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
 
Social Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World ExperiencesSocial Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World Experiences
 
BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!
 
BcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMSBcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMS
 
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitectoBcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
 
Modelos de madurez de SharePoint
Modelos de madurez de SharePointModelos de madurez de SharePoint
Modelos de madurez de SharePoint
 
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
 
SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012
 
JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#
 
CatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePointCatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePoint
 
Universidad de La Habana - SharePoint, Listas y XSLT
Universidad de La Habana  - SharePoint, Listas y XSLTUniversidad de La Habana  - SharePoint, Listas y XSLT
Universidad de La Habana - SharePoint, Listas y XSLT
 
SharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developereSharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developere
 

Recently uploaded

B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024
vmsdeptcom
 
DSD-INT 2024 Rainfall nowcasting – now and then - Uijlenhoet
DSD-INT 2024 Rainfall nowcasting – now and then - UijlenhoetDSD-INT 2024 Rainfall nowcasting – now and then - Uijlenhoet
DSD-INT 2024 Rainfall nowcasting – now and then - Uijlenhoet
Deltares
 
Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)
andrehoraa
 
How to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at ScaleHow to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at Scale
Anchore
 
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
shanihomely
 
GT degree offer diploma Transcript
GT degree offer diploma TranscriptGT degree offer diploma Transcript
GT degree offer diploma Transcript
attueb
 
09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching
quanhoangd129
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
bahubalikumar09988
 
Old Tools, New Tricks: Unleashing the Power of Time-Tested Testing Tools
Old Tools, New Tricks: Unleashing the Power of Time-Tested Testing ToolsOld Tools, New Tricks: Unleashing the Power of Time-Tested Testing Tools
Old Tools, New Tricks: Unleashing the Power of Time-Tested Testing Tools
Benjamin Bischoff
 
OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...
OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...
OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...
Shane Coughlan
 
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
revolutionary575
 
Fantastic Design Patterns and Where to use them No Notes.pdf
Fantastic Design Patterns and Where to use them No Notes.pdfFantastic Design Patterns and Where to use them No Notes.pdf
Fantastic Design Patterns and Where to use them No Notes.pdf
6m9p7qnjj8
 
Authentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptxAuthentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptx
DEMONDUOS
 
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
902basic
 
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
45unexpected
 
Test Polarity: Detecting Positive and Negative Tests (FSE 2024)
Test Polarity: Detecting Positive and Negative Tests (FSE 2024)Test Polarity: Detecting Positive and Negative Tests (FSE 2024)
Test Polarity: Detecting Positive and Negative Tests (FSE 2024)
andrehoraa
 
Tour and travel website management in odoo,
Tour and travel website management in odoo,Tour and travel website management in odoo,
Tour and travel website management in odoo,
Axis Technolabs
 
01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching
quanhoangd129
 
06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching
quanhoangd129
 
Empowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - GrawlixEmpowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - Grawlix
Aarisha Shaikh
 

Recently uploaded (20)

B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024B.Sc. Computer Science Department PPT 2024
B.Sc. Computer Science Department PPT 2024
 
DSD-INT 2024 Rainfall nowcasting – now and then - Uijlenhoet
DSD-INT 2024 Rainfall nowcasting – now and then - UijlenhoetDSD-INT 2024 Rainfall nowcasting – now and then - Uijlenhoet
DSD-INT 2024 Rainfall nowcasting – now and then - Uijlenhoet
 
Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)
 
How to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at ScaleHow to Secure Your Kubernetes Software Supply Chain at Scale
How to Secure Your Kubernetes Software Supply Chain at Scale
 
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
 
GT degree offer diploma Transcript
GT degree offer diploma TranscriptGT degree offer diploma Transcript
GT degree offer diploma Transcript
 
09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching09. Ruby Object Oriented Programming - Ruby Core Teaching
09. Ruby Object Oriented Programming - Ruby Core Teaching
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
 
Old Tools, New Tricks: Unleashing the Power of Time-Tested Testing Tools
Old Tools, New Tricks: Unleashing the Power of Time-Tested Testing ToolsOld Tools, New Tricks: Unleashing the Power of Time-Tested Testing Tools
Old Tools, New Tricks: Unleashing the Power of Time-Tested Testing Tools
 
OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...
OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...
OpenChain Webinar: IAV, TimeToAct and ISO/IEC 5230 - Third-Party Certificatio...
 
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
 
Fantastic Design Patterns and Where to use them No Notes.pdf
Fantastic Design Patterns and Where to use them No Notes.pdfFantastic Design Patterns and Where to use them No Notes.pdf
Fantastic Design Patterns and Where to use them No Notes.pdf
 
Authentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptxAuthentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptx
 
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
Private Girls Call Navi Mumbai 🛵🚡9820252231 💃 Choose Best And Top Girl Servic...
 
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
 
Test Polarity: Detecting Positive and Negative Tests (FSE 2024)
Test Polarity: Detecting Positive and Negative Tests (FSE 2024)Test Polarity: Detecting Positive and Negative Tests (FSE 2024)
Test Polarity: Detecting Positive and Negative Tests (FSE 2024)
 
Tour and travel website management in odoo,
Tour and travel website management in odoo,Tour and travel website management in odoo,
Tour and travel website management in odoo,
 
01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching01. Ruby Introduction - Ruby Core Teaching
01. Ruby Introduction - Ruby Core Teaching
 
06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching06. Ruby Array & Hash - Ruby Core Teaching
06. Ruby Array & Hash - Ruby Core Teaching
 
Empowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - GrawlixEmpowering Businesses with Intelligent Software Solutions - Grawlix
Empowering Businesses with Intelligent Software Solutions - Grawlix
 

ESPC15 - Extending Authentication and Authorization

  • 2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
  • 3. Agenda • SharePoint, Authentication and Authorization • Claims • Claims-based Authentication • Claims-based Authorization • Claims Augmentation and Transformation • Claims Providers • Federated Authentication
  • 4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization
  • 5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
  • 6. SharePoint Authorization • Associated with principals • Authenticated users • Groups (SharePoint or AD) • Claims • App Add-in identities
  • 7. SharePoint 2013 Authentication Options • “Classic” Windows • Deprecated • Claims-based • Windows tokens • FBA • SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
  • 8. App Add-In Authentication • Add-ins have identity and can be assigned permissions • Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate • Low-trust add-ins use 3-legged OAuth (with ACS broker) • High-trust add-ins use self-signed tokens
  • 9. Claims • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples • Employee badge • Name, department, clearance • Boarding passes • Flight, seat, class, name • Paper Wristbands • Ticket type, extra services
  • 10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
  • 11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.org /ws/2005/05/identity/claim s/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.org /ws/2008/06/identity/claim s/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.org /ws/2005/05identity/claims /upn ekapic@demo.local SharePoint Windows http://schemas.microsoft.co m/sharepoint/2009/08/clai ms/userid 0#.w|demoekapic SharePoint SecurityTokenService
  • 12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
  • 13. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
  • 14. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class
  • 15. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
  • 17. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed
  • 18. Federated Authentication • ID cards or passports are real-world examples of federated authentication
  • 19. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
  • 20. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
  • 21. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
  • 22. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
  • 24. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
  • 25. Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en-us/library/ff423674.aspx

Editor's Notes

  1. In the two latest versions of SharePoint, we have seen how Claims-based authentication have taken over the traditional Windows and FBA authentication. Now we have federated identity with services such as Active Directory Federation Services (ADFS) and Azure Active Directory (AAD) and the authorization is handled by OAuth in the app model. But still, the vast majority of the deployments still use plain vanilla AD or LDAP authentication, without exploiting its flexibility and adaptability to a variety of scenarios. In this session you will learn how to extend the authentication and authorization with custom claim providers, claim augmentation and transformation. In this session you will: - Acquaint yourself with the authorization/authentication mechanism in SharePoint/Office 365 - Learn how to extend and adapt the authentication/authorization to fit your needs - Get to know the benefits of using ADFS for identity federation