This document discusses authentication and authorization in SharePoint. It covers claims-based authentication and authorization, including claims providers and federated authentication. Claims are pieces of a user's identity that can be used to authenticate and authorize users. SharePoint uses claims-based authentication, allowing it to integrate with different identity providers that provide claims. Claims providers can augment and surface claims to SharePoint. Federated authentication allows authenticating users from an external identity provider using security tokens with claims. The document demonstrates configuring federated authentication with Active Directory Federation Services.

1. Silber-Partner: Veranstalter:
Extending Authentication and
Authorization
Edin Kapić

2. Edin Kapić
• SharePoint Senior
Architect & Team Lead
in Sogeti, Barcelona
• President of SharePoint
User Group Catalonia
(SUG.CAT)
• Writer at Pluralsight
• SharePoint Server Office
Servers and Services
MVP
• Tinker & geek
Email : mail@edinkapic.com
Twitter : @ekapic
LinkedIn : edinkapic

3. Agenda
• SharePoint, Authentication and Authorization
• Claims
– Claims-based Authentication
– Claims-based Authorization
– Claims Augmentation and Transformation
– Claims Providers
• Federated Authentication

4. SharePoint, Authentication &
Authorization
SharePoint Web App
Authentication
Provider
SPUser
Site Collection
Site
SPRoleAssignment
Authentication
Authorization
Authentifizierung
Autorisierung

5. SharePoint Authentication
• SharePoint doesn’t
authenticate by itself
• It keeps user details in the
user profile database and
user information lists in each
site collection

6. SharePoint Authorization
• Associated with principals
– Authenticated users
– Groups (SharePoint or AD)
– Claims
– App Add-in identities

7. SharePoint 2013 Authentication
Options
• “Classic” Windows
– Deprecated
• Claims-based
– Windows tokens
– FBA
– SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser

8. App Add-In Authentication
• Add-ins have identity and can be assigned permissions
– Add-ins are principals, together with users and groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate
– Low-trust add-ins use 3-legged OAuth (with ACS broker)
– High-trust add-ins use self-signed tokens

9. Claims (Ansprüche)
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting credentials to a claims
provider
• Claims providers are trusted
• Examples
– Employee badge
• Name, department, clearance
– Boarding passes
• Flight, seat, class, name
– Paper Wristbands
• Ticket type, extra services

10. Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea

11. SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.o
rg/ws/2005/05/identity/cl
aims/nameidentifier
demoekapic SharePoint SharePoint
http://schemas.xmlsoap.o
rg/ws/2008/06/identity/cl
aims/primarysid
S-1-5-21-4067827123-
213488314-8760374-
513
SharePoint Windows
http://schemas.xmlsoap.o
rg/ws/2005/05identity/cla
ims/upn
ekapic@demo.local SharePoint Windows
http://schemas.microsoft.
com/sharepoint/2009/08/
claims/userid
0#.w|demoekapic SharePoint SecurityTokenService

12. Claims Authentication
• SharePoint augments and transforms the incoming
claims to a normalized claims identity
• Can be done by more than one claims provider
• Decouples the authentication method from the user
identity
• For Windows incoming claims, there is a C2WTS
(Claims to Windows Token Service) inside SharePoint
2013 to allow converting claims back into Windows
identities

13. Claims Format
Claim Claim Parts
i:0#.w|spdemoedin • •“i” for an identity claim
• •“#” for the user logon name format for the claim
value
• •“.” for a string
• •“w” for Windows claims
• •“spdemoedin” for the identity claim value (the
Windows account name)
i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim
• •“e” for the UPN property of the claim value
• •“.” for a string
• •“t” for a trusted issuer
• •“adfs” identifies the original issuer of the identity
claim
• •“edin@spdemo.local” for the identity claim value
http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx
<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>
|<OriginalIssuer (optional)>
|<ClaimValue>

14. Claims Authorization
• Any claim can be used as
a security principal in
SharePoint
• Flexible alternative to
security groups
• Claims can be surfaced
by the identity token
service or custom claims
provider in People Picker

15. Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class
• But, take care about thread safety:
http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom-
claims-providers.aspx

16. Claims Augmentation and
Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
SupportsEntityInformation
Claims surfacing in People Picker FillSchema
FillClaimTypes
FillClaimValueTypes
FillEntityTypes
Claims hierarchy in People Picker left side FillHierarchy
SupportsHierarchy
Resolving typed claims in People Picker FillResolve
SupportsResolve
Searching for claims in People Picker FillSearch
SupportsSearch

17. DEMO
Custom Claim Provider

18. Federated Authentication
• When the identity provider (IdP) is distinct from
Windows (or FBA), we have federated authentication
• Third-party Secure Token Service (STS) issues a security
token with claims
• This token is trusted by “clients” (Relying Parties, RP) as
the STS is trusted by them
• Tokens are digitally signed to prevent tampering

19. Federated Authentication
• ID cards or
passports are real-
world examples of
federated
authentication

20. Federated Identity Providers
• Microsoft Active Directory
Federation Services (ADFS)
• Microsoft Azure Active
Directory
• Thinktecture IdentityServer
• Shibboleth
• IBM Federated Identity
Manager
• ...

21. Active Directory Federation
Services (ADFS)
• Part of Windows
Server features
• Can transform AD
into a federated IdP
• Doesn’t manage
users directly, but
claims, identity
providers and relying
parties

22. Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365
offering
• Underpins the most of the
Office 365 / Azure hybrid
architectures

23. Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity
Framework
• Modular architecture

24. DEMO
Federated Authentication with
ADFS

25. Summary
• Claims-based identity and authorization are the only
way forward, so make sure that you understand them
well
• You can decouple user authentication from the user
identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else

26. Additional Tools
• LDAP/AD Claims Provider
– Surfaces users from ADFS / AD into claims-enabled People Picker
• https://ldapcp.codeplex.com/

27. Additional Tools
• SharePoint Identity Service
– Service application for SharePoint
• https://spidentityservice.codeplex.com/

28. Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control
https://msdn.microsoft.com/en-
us/library/ff423674.aspx

29. FRAGEN?

30. Ich freue mich auf Ihr Feedback!

31. Silber-Partner: Veranstalter:
Vielen Dank!
Edin Kapić