This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
'Claims-based identity' is known and well-documented. However I tend to encounter the same questions again and again. These slides tell what claims-based identity means to me.
'Claims-based identity' is known and well-documented. However I tend to encounter the same questions again and again. These slides tell what claims-based identity means to me.
This slidedeck provides a technical deep dive about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.
CyberLab Training Division :
ASP.NET is a web application framework developed and marketed by Microsoft to allow programmers to build dynamic web sites. It allows you to use a full featured programming language such as C# or VB.NET to build web applications easily.
This tutorial covers all the basic elements of ASP.NET that a beginner would require to get started.
Audience
This tutorial has been prepared for the beginners to help them understand basic ASP.NET programming. After completing this tutorial you will find yourself at a moderate level of expertise in ASP.NET programming from where you can take yourself to next levels.
Prerequisites
Before proceeding with this tutorial, you should have a basic understanding of .NET programming language. As we are going to develop web-based applications using ASP.NET web application framework, it will be good if you have an understanding of other web technologies such as HTML, CSS, AJAX. etc
ASP.NET supports three different development models:
Web Pages, MVC (Model View Controller), and Web Forms.
For More Details.
Visit: http://www.cyberlabzone.com
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
Chuck Mortimore, Salesforcce.com
Setup and walk-through of live demos, demonstrating interop of various providers and showing real enterprise use-cases.
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
Live Identity Services enables developers on any platform to choose the identity integration model that best enables their scenarios, including: web or client authentication, delegated authentication, or federated authentication. Learn how to build seamless, cobranded, and customized sign-up and sign-in experiences.
Microsoft PDC 2008 - Session BB22
Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
This slidedeck provides a technical deep dive about Active Directory Federation Services technology for federated authentication with Office 365 and other relying parties.
CyberLab Training Division :
ASP.NET is a web application framework developed and marketed by Microsoft to allow programmers to build dynamic web sites. It allows you to use a full featured programming language such as C# or VB.NET to build web applications easily.
This tutorial covers all the basic elements of ASP.NET that a beginner would require to get started.
Audience
This tutorial has been prepared for the beginners to help them understand basic ASP.NET programming. After completing this tutorial you will find yourself at a moderate level of expertise in ASP.NET programming from where you can take yourself to next levels.
Prerequisites
Before proceeding with this tutorial, you should have a basic understanding of .NET programming language. As we are going to develop web-based applications using ASP.NET web application framework, it will be good if you have an understanding of other web technologies such as HTML, CSS, AJAX. etc
ASP.NET supports three different development models:
Web Pages, MVC (Model View Controller), and Web Forms.
For More Details.
Visit: http://www.cyberlabzone.com
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
Chuck Mortimore, Salesforcce.com
Setup and walk-through of live demos, demonstrating interop of various providers and showing real enterprise use-cases.
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
Live Identity Services enables developers on any platform to choose the identity integration model that best enables their scenarios, including: web or client authentication, delegated authentication, or federated authentication. Learn how to build seamless, cobranded, and customized sign-up and sign-in experiences.
Microsoft PDC 2008 - Session BB22
Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
Agenda:
Introducing Custom Policies in Azure AD B2C
Custom Policy Components
Relying Party and User Journeys
Claims Definitions
Technical Profiles
Getting Started with Azure AD B2C Custom Policies
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
Developing Custom Claim Providers to Enable Authorization in SharePoint - Antonio Maio.
With the release of SharePoint 2010, Microsoft introduced the concepts of Claims Based Authentication and Authorization. SharePoint 2013 went a step further making Claims Based Authentication the default method for authenticating users when they login. Claims, and identities in general, are playing a bigger role in the security capabilities of systems like SharePoint, enabling us to solve some new and exciting security challenges. Typically we authorize the content that users have access to using SharePoint permissions, however authentication scenarios can be extended in new and interesting ways by developing a custom component called a Custom Claim Provider. This session will introduce the concepts of Claims Based Authentication and Authorization in SharePoint and provide step by step instructions on how to develop and deploy Custom Claim Providers. The session will also walk through several examples of how custom Claim Providers can enhance SharePoint security and authorization.
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
This session will teach you everything that you need to know in order to understand SharePoint Apps, authentication and authorization. Learn about the different type of Apps, the underlying Apps architecture and how to configure an on-premises environment to support Apps. Also you will learn about the different authentications options available for integrating apps, devices, and applications for on-prem scenarios, in the cloud and hybrid.
Identity and Access (AD), Azure and Office 365: Building a Single Page Application (SPA) with ASP.NET Web API and Angular.js using Azure Active Directory to Log in Users
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
Agenda:
Reviewing the Exercise – Collect a Loyalty Number from your Customers
Getting Started with Azure AD B2C Custom Policies
Setting up the Policy
Defining the Loyalty Number Claim
Configuring Profile Editing to Include the Loyalty Number
Configure Reading and Writing the Claim
Updating the User Journey
Relying Party Declaration Updates
Microsoft identity platform and device authorization flow to use azure servic...Sunil kumar Mohanty
Microsoft Identity platform allows users to sign in to input-constrained devices. It leverages MASL for Java (MSAL4J) from an app that does not have the capability of providing interactive authentication experience. The user visits a web page in their browser to login in. Once login success, the device will able to get access token and able to perform actions on the authorized Azure resources. In this article the access token will be used to publish message to azure service bus.
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
Building an application that can be provisioned and used in multiple Azure AD tenants goes far beyond just flipping a switch in your app configuration. The developer has to undertake application provisioning, decide on a provisioning strategy, push changes to customers, manage identities flowing from multiple tenants, collect essential information from authentication signals, learn to differentiate the different types of users they will encounter and understand the key differences from the B2B scenarios. In this community call, Kalyan Krishnan reviews the steps and considerations required to develop, configure, provision, and manage multi-tenant applications.
For more information, visit https://aka.ms/identityplatform
by Quint Van Deman, Sr. Business Development Manager, AWS
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in.
This presentation will give you short and not very technical overview about claims-based authentication.
The claims-based authentication will be the way to almost all Microsoft web-based platforms around. It is more complex than old username-password method but also more secure and general.
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
Similar to SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud (20)
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
Apps for SharePoint were introduced in SharePoint 2013 to maximize the level of capability and flexibility that developers can deliver without risking compromise to the farm. In this session, we will delve into apps that leverage resources running outside the SharePoint farm—whether in another on-premises web server or in the cloud. We will use server-side and client-side code to demonstrate how cloud-hosted apps can securely access data stored in SharePoint using the client object model (CSOM/JSOM) and REST APIs, along with the pros and cons associated with each approach. We will discuss the various permissions models associated with apps for SharePoint including types of app permissions, permission request scopes, and how app developers can manage permissions. We will conclude by building and provisioning a provider-hosted app for SharePoint to Office 365.
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
Apps for SharePoint were introduced in SharePoint 2013 to maximize the level of capability and flexibility that developers can deliver without risking compromise to the farm. In this session, we will delve into apps that leverage resources running outside the SharePoint farm—whether in another on-premises web server or in the cloud. We will use server-side and client-side code to demonstrate how cloud-hosted apps can securely access data stored in SharePoint using the client object model (CSOM/JSOM) and REST APIs, along with the pros and cons associated with each approach. We will discuss the various permissions models associated with apps for SharePoint including types of app permissions, permission request scopes, and how app developers can manage permissions. We will conclude by building and provisioning a provider-hosted app for SharePoint to Office 365.
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
Apps for SharePoint were introduced in SharePoint 2013 to maximize the level of capability and flexibility that developers can deliver without risking compromise to the farm. In this demo-intensive session, we will delve into apps that leverage resources running outside the SharePoint farm—whether in another on-premises web server or in the cloud. We will use server-side and client-side code to demonstrate how cloud-hosted apps can securely access data stored in SharePoint using the client object model (CSOM/JSOM) and REST APIs, along with the pros and cons associated with each approach. We will discuss the various permissions models associated with apps for SharePoint including types of app permissions, permission request scopes, and how app developers can manage permissions.
Put it on a Map! Using the new Location and Map Features in SharePoint 2013Danny Jessee
SharePoint 2013 introduces a new “Geolocation” field type that makes it easy to store location-based information in lists. SharePoint can then be configured to display this data automatically on a Bing map. In this session, we will demonstrate how to configure the SharePoint environment to support geolocation data and how developers can leverage these new features to incorporate location, mapping, and proximity features into their applications.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
3. Features of a Secure Application
SharePoint 2010 Authentication Options
Claims Terminology/Technology Overview
Demos
New SharePoint 2010 Web Application
Azure AppFabric ACS Trusted Identity Provider –
Facebook
Further integration of Facebook with SharePoint
via the Facebook C# SDK (now deprecated)
4. Authentication is the process of validating a
user’s identity
SharePoint never performs authentication
If the login prompt keeps appearing, think
authentication issue!
Unless it’s the dreaded
loopback check!
5. Authorization is the process of determining
the resources, features, etc. to which a user
has access
If you see “Access Denied” errors, think
authorization issue!
6. The single biggest decision of your life!
TechNet guidance:
“For new implementations of SharePoint Server
2010, you should consider claims-based
authentication.”
7. Claims Based Authentication (Tokens)
Windows Authentication: NTLM/Kerberos, Basic
Forms-Based Authentication (ASP.NET
Membership provider and Role manager)
Trusted Identity providers
Custom sign-in page
Classic Mode Authentication (“Old School”)
Windows Authentication (NTLM/Kerberos) only
Both map authenticated users to SPUser
objects (security principals)
8. What is a claim?
A piece of information describing a user
▪ Name
▪ Email Address
▪ Role/Group membership
▪ Age
▪ Hire Date
Whose claims do I trust, and which claims
affect authorization decisions I make?
9. Token
Serialized set of claims about an authenticated user,
digitally signed by the token’s issuer
Identity Provider-Security Token Service (IP-STS)
Validates user credentials
Builds, signs, and issues tokens containing claims
Relying party (RP)
Applications that makes authorization decisions based
on claims (SharePoint 2010)
10. Decoupling of authentication logic from
authorization and personalization logic
Applications no longer need to determine who the
user is, they receive claims identifying the user
Great for developers who rarely want to work
with identity!
Provides a common way for applications to
acquire the identity information they need
about users
11. 1. “I’d like to access the budget document.”
2. “Not until you can prove to me that you
are in the Finance group.”
3. “Here is my user ID and password.”
4. “Hi, Danny. I see you are in the Finance
group. Here is a token you can use.”
5. “I’d like to access the budget document,
and here’s proof I have access to it!”
SharePoint 2010
12. WS-Trust, WS-Federation, SAML
Requesting/receiving tokens
XML representation of claims
These emerging technologies have been around
for awhile
Their use in Claims-Based Identity represents a new
approach for handling identity in applications
Great potential in corporate environments
▪ Active Directory Federation Services, external LDAP, etc.
Great potential as we move to the cloud
▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
13.
14. Visual Web Part
Code behind:
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
Page.DataBind();
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
15. Similar to FBA setup for MOSS, with some
exceptions:
Authentication provider does not need to be
mapped to a separate zone
One additional Web.config to modify:
▪ C:Program FilesCommon FilesMicrosoft SharedWeb
Server Extensions14WebServicesSecurityToken
▪ Add entries for connection string, Membership provider,
Role manager
▪ Same modifications for Central Admin and web app
16. Allows users to choose how to authenticate
when multiple providers are configured
(Mixed Authentication)
Custom code opportunity
http://www.orbitone.com/en/blog/archive/2010/06/23/
sharepoint-2010-mixed-authentication-automatic-
login.aspx
19. Cloud-based service that provides an easy
way of authenticating and authorizing users
to gain access to web applications
Includes support for Windows Live ID,
Google, Yahoo, and Facebook
Includes support for Active Directory
Federation Services (AD FS) 2.0
Simple browser-based management portal
$1.99/100k transactions (free until Nov. 30!)
20. Three things must be done to add support for
Facebook login to SharePoint:
1. Create a Facebook application
https://developers.facebook.com/apps
2. Configure ACS for Facebook support
Permissions you will request from Facebook users
Relying Party application and Rule Group setup
3. Configure ACS as a Trusted Identity Provider
in SharePoint
24. From the ACS management portal, add a new
Identity Provider
25. Enter App ID and App Secret values from
Facebook application you created earlier
Enter a comma-delimited list of Application
Permissions you want to request
https://developers.facebook.com/docs/reference/
api/permissions/
In our demo, we will request:
email,user_location,user_hometown,user_website,u
ser_work_history,publish_stream,user_birthday,fr
iends_birthday
26. Permissions you request will be displayed to
the end user the first time they log in
Request the minimum subset of permissions
you will need
Users are more likely to reject bigger requests
27. Generate Rule Group
Named set of claim rules that define which
identity claims are passed from identity providers
to your relying party application
SharePoint will still need to be configured to
make use of these claims
28. Configure Relying Party application
Provide Name, Realm, and Return URL
Return URL: Realm + /_trust
29. Choose SAML 1.1 token format
Update Token lifetime to >600 seconds
Select Identity providers and Rule groups
30. Generate self-signed certificate
C:Program FilesMicrosoft Office
Servers14.0Tools>MakeCert.exe -r -pe -n
"CN=dannyjessee.accesscontrol.windows.net"
-sky exchange -ss my
Self-signed, exportable, subject key type
“exchange,” store in my personal certificate store
Development only! Please use a legitimate
certificate in production!
31. Upload this certificate (.pfx format) as the
Token Signing Certificate in ACS
34. Running this PowerShell script will add
“Azure ACS v2” to the list of Trusted Identity
Providers
Eligible to be added to Claims-based web
applications in Central Administration
36. All claims whose OriginalIssuer is
TrustedProvider:Azure ACS v2
AccessToken is the key to all user data
37. https://github.com/facebook/csharp-sdk
Encapsulates calls to the Facebook Graph API
https://developers.facebook.com/docs/reference/
api/
Retrieve data about the user and his/her friends
Upload photos/videos, post status messages
Data returned from Facebook in JSON format
Requests to https://graph.facebook.com/...
▪ me/feed, me/friends, me/photos, me/videos
Deprecated, no longer supported
38. SharePoint maintains its own certificate store
where separate trusts must be configured
http://dannyjessee.com/blog/index.php/2011/
12/required-trust-relationships-for-the-
facebook-c-sdk-in-sharepoint-2010/
Need to upload two certificates into
SharePoint (CA > Security > Manage Trust):
DigiCert High Assurance EV Root CA
DigiCert High Assurance CA-3
40. Code snippets in these slides are not
complete
Do not include proper error checking/handling
Do not include RunWithElevatedPrivileges()
delegates where appropriate
Please download the code
Do not copy and paste from these slides
I will Tweet the link and update this slide deck to
include it
41. Returned in a claim from Facebook
A new AccessToken is issued each login
Our key to all of the data about the logged in user
Required for all calls to the Facebook Graph API
Two hour lifetime by default
To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag
web.AllProperties[“fbAccessToken_{loginname}”]
AllProperties required for case sensitivity
42. Changing to
Initial display name for the SPUser is in Claims-
encoded format (more on this later)
Want to make this more user-friendly
if (SPContext.Current.Web.CurrentUser == null)
{
SPUser user = web.EnsureUser("i:" + claimsIdentity.Name);
currentUser.Name = givenName;
currentUser.Update();
}
43. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
JsonObject location = me["location"] as JsonObject;
myLocation = (string)location["name"];
myLocation is in City, State format
Parsed and sent to Weather Underground API
http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/
[city].json
44. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
SPList lstContacts = web.Lists["Contacts"];
SPListItem item = lstContacts.Items.Add();
item["First Name"] = (string)me["first_name"];
item["Last Name"] = (string)me["last_name"];
JsonArray work = me["work"] as JsonArray;
// Most recent/current employer stored in work[0]
JsonObject company = work[0] as JsonObject;
JsonObject employer = company["employer"] as JsonObject;
JsonObject position = company["position"] as JsonObject;
item["Company"] = (string)employer["name"];
item["Job Title"] = (string)position["name"];
item.SystemUpdate();
45. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)
client.Get("me/friends?fields=name,birthday");
JsonArray friendData = me["data"] as JsonArray;
foreach (JsonObject friend in friendData)
{
if (friend.ContainsKey("birthday"))
{
/* Some users share MM/DD of birthday, others share
MM/DD/YYYY
We only care about MM/DD for our purposes, and
Facebook always pads with leading zeros */
string birthday = (string)friend["birthday"];
birthMonth = int.Parse(birthday.Substring(0, 2));
birthDate = int.Parse(birthday.Substring(3, 2));
...
47. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object>();
dict.Add("message", "I just posted this from
SharePoint!");
dict.Add("link", "http://sugdc.org/");
dict.Add("picture",
"http://sugdc.org/Portals/0/sugdcTitle4.jpg");
dict.Add("name", "SUGDC Home Page");
dict.Add("caption", "February 9, 2012");
dict.Add("description", "Come see my presentation about
Claims-Based Identity in SharePoint 2010 at SUGDC!");
client.PostAsync("me/feed", dict);
48. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "title", "I know how to post videos to
Facebook...from SharePoint!" },
{ "description", "See more at SUGDC Feb. 9, 2012!" },
{ "vid1", new FacebookMediaObject { ContentType =
"video/x-flv", FileName = "facebook.flv"
}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }
};
client.PostAsync("me/videos", dict);
49. Silverlight application courtesy MossLover
Interfaces with the user’s webcam, saves
captured images to document library
50. Added event handler to upload to Facebook
string contentType = "image/jpeg";
var client = new Facebook.FacebookClient(fbAccessToken);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "message", "Uploaded picture from Silverlight webcam
image capture in SharePoint!" },
{ "pic1", new FacebookMediaObject { ContentType =
contentType, FileName = properties.ListItem.File.Name
}.SetValue(properties.ListItem.File.OpenBinary()) }
};
client.PostAsync("me/photos", dict);
51.
52.
53.
54. General issues for all Claims implementations
Search crawler requires NTLM in the zone it uses
“People picker” is more of a Claims “expression
editor”
▪ Custom code opportunity
User Profiles
▪ LDAP or BCS connection to authentication store
Office client integration (2007 SP2+, 2010)
▪ IE 8+: Trusted Sites
No document previews with FAST Search
55. “After migrating to Claims in
SharePoint 2010, most of our users
were able to log in some of the time.”
—A less-than-thrilled system administrator
56. Migration from MOSS to SharePoint 2010
Migrate FBA Users
▪ $wa = get-SPWebApplication $WebAppName
▪ $wa.MigrateUsers($true)
Portalsuperuser and Portalsuperreader properties
need to be updated to reflect Claims-encoded format
▪ $wa.Properties["portalsuperuseraccount"] =
"i:0#.w|domainapppool"
▪ $wa.Properties["portalsuperreaderaccount"] =
"i:0#.w|domainapppool"
▪ $wa.Update()
Must migrate all providers from MOSS to 2010
▪ i.e., NTLM and FBA if both existed prior to migration
58. Set DisplayName property of SPUser
$user = Get-SPUser -Web http://abc.shrpnt.loc
-Identity
"i:0#.f|CustomMembershipProvider|username"
$user.DisplayName = "John Doe"
$user.Update()
Can also be done via SharePoint object model
59. Session expiration issues with SAML Claims
Users can come back to the page hours later
without having to log in again
SharePoint creates a FedAuth cookie (written to
disk) that is not a Session cookie by default
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.UseSessionCookies = $true
▪ $sts.Update()
60. Continuous redirection to/from login page
This can happen when the TokenLifetime is less
than the LogonTokenCacheExpirationWindow
▪ Default LogonTokenCacheExpirationWindow in
SharePoint 2010 STS is 10 minutes
▪ Default Token Lifetime in Azure ACS is also 10 minutes
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 1)
▪ $sts.Update()
61. Go to the login page, enter valid credentials,
press the “Log In” button, and…get
redirected back to the login page (once)
Check the ULS logs!
▪ Could be token expiration timeout
▪ Could be something else
62. SPSecurityTokenService.Issue() failed:
System.Runtime.InteropServices.
COMException (0x800703FA): Retrieving the
COM class factory for component with CLSID
{BDEADF26-C265-11D0-BCED-00A0C90AB50F}
failed due to the following error: 800703FA.
GPEdit: Computer Configuration > Administrative
Templates > System > User Profiles
▪ Do not forcefully unload the users registry at user logoff
> Set to “Enabled”
63.
64. Stick with Classic Mode Authentication if you
are deploying SharePoint into a “simple”
Active Directory environment
Particularly if strict security controls are in place
that are beyond your control
Especially if you are only migrating from Windows
authentication in MOSS
Once you go to Claims, you can’t go back!
65. If you must use Claims for your Extranet,
try to minimize the number of zones/host
headers used
Default zone should be most secure
Have a good “troubleshooter’s toolbox”
ULS Log Viewer
Fiddler
Claims Viewer web part
66.
67. Shane Young – my hero!
http://sharepoint911.com
Plan Authentication Methods
(SharePoint Server 2010)
http://technet.microsoft.com/en-
us/library/cc262350.aspx
A Guide to Claims-Based Identity and Access
Control (Microsoft Patterns and Practices)
http://claimsid.codeplex.com/
68. Writing Claims Providers for SharePoint 2010
http://msdn.microsoft.com/en-
us/library/ff699494.aspx
Implementing Claims-Based Authentication
with SharePoint Server 2010
http://www.microsoft.com/download/en/details.a
spx?id=27569
70. Steve Peschka
http://blogs.technet.com/b/speschka/archive/201
0/06/12/migrating-a-web-application-from-
windows-classic-to-windows-claims-in-
sharepoint-2010.aspx
http://msdn.microsoft.com/en-
us/library/hh147183.aspx
Project Server Blog (GREAT tips for migrating
to Claims here!!!)
http://nearbaseline.com.au/blog/tag/claims/
71. SelfSTS and Vittorio Bertocci
http://archive.msdn.microsoft.com/SelfSTS
http://blogs.msdn.com/b/vbertocci/archive/2010/0
8/23/selfsts-when-you-need-a-saml-token-now-
right-now.aspx
Paul Schaeflein
http://www.schaeflein.net/blog/Lists/Posts/Post.a
spx?ID=4
Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
WS-Trust: how to request and receive security tokensWS-Federation: architecture for cleanseparation between trust mechanisms, security tokens formats, and the protocols for obtaining tokensSAML: XML vocabulary used to represent claims in an interoperable way
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
As you plan custom claims providers for use with People Picker in your SharePoint solution, consider the following questions:What will be the source of the values for the users and roles that will be displayed in People Picker query results?What claim data do you want to resolve in the Select People and Groups dialog box?You don’t necessarily need to go through the API or PowerShell, if you have a connection to an LDAP store or a BCS connection to your auth store. You can also map the properties yourself and leave it to the User Profile Synchronization service. That being said, if you’re dependent on BCS then you’ll also need to have SharePoint Enterprise Server license which isn’t available to all customers.Once you’re done you should be able to visit any of the users in your site collection and see their “Name” property set to something that is less likely to confuse your user base. Once the value is set, it helps to make sure that it doesn’t get stomped with any User Profile Synchronization (UPS) that may be in place in your farm.
So basically the ticket was issued by ACS/upstream identity provider for 10 minutes, SharePoint checks it a millisecond later and says, wall this ticket expires in less time that my expiration window, so go get a new ticket from ACS.