Claims for devs#spsbeSteven Van de Craen
Thanks to ourSponsorsPlatinumGoldSilver
About meSteven Vande CraenVentigrateSharePointenthousiastSince 2005
Overview • AuthN – AuthZ• Tokens and Claims• What about SharePoint• Passive sign-in• Cookies and expiration• Encoding• #de...
AuthN -AuthZ• What is Authentication?Process of determining whether someone is who he declares to beI am @vandest1• What i...
Tokens andClaims• What is a Claim?Information such as name, e-mail, age, group membership, etc.• What is Identity?Set of a...
What aboutSharePoint• Classic or Claims• Three authentication options Windows – NTLM/Kerberos/Basic transformed into a Wi...
Passivesign-inAn Identity Provider (IdP) isan authority that makesclaims about an entityAn identity providerimplements a S...
Cookies andexpiration• Persistent vs Session• Single Sign On for Office clients, WebDAV• Configurable on the SharePoint ST...
Encoding • ClassicWindows: DOMAINusernameFBA: myprovider:username• ClaimsWindows: i:0#.w|domainusernameFBA: i:0#.f|myprovi...
http://www.wictorwilen.se/Post/How-Claims-encoding-works-in-SharePoint-2010.aspx
#demos • Create a custom login pageMultiple authentication: automatic redirectSimple audit loggingUpdate SPUser display na...
Multiple authenticationUse claims for securing contentSingle sign on across RPs and appsDecouple authentication fromShareP...
Resources  Implementing Claims-Based Authentication with SharePoint Server 2010 –http://bit.ly/ozwB17 Claims authenticat...
THANK YOUSteven Van de CraenEMAIL: steven.vandecraen@ventigrate.beBLOG: http://www.sharepointblogs.be/blogs/vandestTWITTER...
Upcoming SlideShare
Loading in …5
×

SPSBE 2013 Claims for devs

576 views

Published on

SharePoint Saturday Belgium 2013 Developer meet claims, Claims for devs

Published in: Technology, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
576
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Template may not be modified Twitter hashtag: #spsbe for all sessions
  • Please use a picture of yourself in a mountain/cloudscene
  • SPSBE 2013 Claims for devs

    1. 1. Claims for devs#spsbeSteven Van de Craen
    2. 2. Thanks to ourSponsorsPlatinumGoldSilver
    3. 3. About meSteven Vande CraenVentigrateSharePointenthousiastSince 2005
    4. 4. Overview • AuthN – AuthZ• Tokens and Claims• What about SharePoint• Passive sign-in• Cookies and expiration• Encoding• #demos• Wrap-up• Resources
    5. 5. AuthN -AuthZ• What is Authentication?Process of determining whether someone is who he declares to beI am @vandest1• What is Authorization?Process of determining whether someone has the permission to do somethingI have Read permissions on this siteVS
    6. 6. Tokens andClaims• What is a Claim?Information such as name, e-mail, age, group membership, etc.• What is Identity?Set of attributes to describe a user• Security TokenUser Identity as a set of claims
    7. 7. What aboutSharePoint• Classic or Claims• Three authentication options Windows – NTLM/Kerberos/Basic transformed into a Windows token Forms Based Authentication – Membership and Role Provider, typical extranet withSQL or LDAP as underlying store Trusted Identity – Outsource authentication to an Identity Provider (WLID, ADFS,custom)• C2WTSConverts classic and claims users to a Windows token for systems that aren’t claimsaware
    8. 8. Passivesign-inAn Identity Provider (IdP) isan authority that makesclaims about an entityAn identity providerimplements a SecurityToken Service (STS), whichissues tokensThe Relying Party (yourapplication) needs todecide which “claim” ittrustsFacebook: “Steven is 18 years old”Social Services: “Steven is 29years old”SAML 1.1 requiredhttp://msdn.microsoft.com/en-us/magazine/ff872350.aspx
    9. 9. Cookies andexpiration• Persistent vs Session• Single Sign On for Office clients, WebDAV• Configurable on the SharePoint STS• SharePoint 2013 Distributed CacheStores the security token issued by a Secure Token Service. Any web server can access thesecurity token from the cache, authenticate the user and provide access to the resourcesrequested.
    10. 10. Encoding • ClassicWindows: DOMAINusernameFBA: myprovider:username• ClaimsWindows: i:0#.w|domainusernameFBA: i:0#.f|myprovider:username• Microsoft.SharePoint.Administration.ClaimsSPClaimSPClaimProviderManager .DecodeClaim/.EncodeClaim
    11. 11. http://www.wictorwilen.se/Post/How-Claims-encoding-works-in-SharePoint-2010.aspx
    12. 12. #demos • Create a custom login pageMultiple authentication: automatic redirectSimple audit loggingUpdate SPUser display name and email• Create a custom Security TokenServiceProvide centralized authentication for many Relying PartiesSingle sign on across Relying PartiesCan have pluggable authentication model with multiple providers• Create a custom claim providerAugment – Provide additional claims for the identityResolution – Allow name resolution for People PickerUse claims for normalization or authorization (claims based security)
    13. 13. Multiple authenticationUse claims for securing contentSingle sign on across RPs and appsDecouple authentication fromSharePointRecommended authentication modelfor SharePointWrap-up
    14. 14. Resources  Implementing Claims-Based Authentication with SharePoint Server 2010 –http://bit.ly/ozwB17 Claims authentication against Windows Live ID for SharePoint 2010 –http://bit.ly/aXKMCp Converting EPiServer 6 to use claims-based authentication with WIF –http://bit.ly/c71Ipl Ventigrate Codeplex: External User Management – http://bit.ly/JMtpc4 Claims Walkthrough: Writing Claims Providers for SharePoint 2010 –http://bit.ly/aNPypt The Identity Guy – http://bit.ly/qYhItd How Claims encoding works in SharePoint 2010 – http://bit.ly/yqpwR7 How to Get All User Claims at Claims Augmentation Time in SharePoint 2010 –http://bit.ly/gX3V3p Custom Security Token Service (WIF 4.5) – http://bit.ly/14fGzb5 How to make use of a custom IP-STS with SharePoint 2010 –http://bit.ly/Y7OnJB
    15. 15. THANK YOUSteven Van de CraenEMAIL: steven.vandecraen@ventigrate.beBLOG: http://www.sharepointblogs.be/blogs/vandestTWITTER: @vandest1

    ×