SlideShare a Scribd company logo

Claims Based Identity In Share Point 2010

Steve Sofian, profile picture
Steve Sofian

This document discusses claims-based identity in SharePoint 2010. SharePoint 2010 uses claims-based authentication which allows users to sign in using multiple identity providers. Claims are issued by an authority to describe attributes of a user. SharePoint acts as a claims-based application by using a security token service to authenticate users and issue claims. The document covers configuring claims providers and incoming/outgoing claims to provide identity and access across SharePoint and external applications.

1 of 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Claims based Identity in SharePoint 2010Chyan Yee GohConsultantMicrosoft Singapore
AgendaClaims Identity ModelSharePoint as a Claims-Based ApplicationIncoming vs. Outgoing claimsConfiguring Claims
But first, a quick Primer
Identity and Identity ProvidersYour Digital Persona composing of attributes/identifiers
Claim
Identity vs ClaimsAn Identity is a set of attributes to describe a user such as name, e-mail, age, group membership, etc.A Claim is issued by some authority that claims to have the attribute and its valueVS
User Identity is a set of claimsFor authorization decisions, your app needs to decide which “claim” you will trust.Trustdepends on scenario not on technical capability
The AirportBirth RecordsAirlineICATrustGate AgentPassportPassportNeed PassportBoarding PassBoarding Pass
Issuers and Security TokensIssues security tokensCollection of claimsFormats - SAML
Security Token Service (STS)Web Service that issues claims and packages security tokens.Supports multiple credential typesIP-STS and RP-STS.An IP-STS is an STS that issues tokens that can be used to request service tokens from RP-STSs. An RP-STS can also consume other types of tokens (or credentials), for example an NT token that comes from the domain controller or the (KDC)STSs can be chainedAn STS is not always a web service: passive profile
Active Directory Federation Services v2.0 aka Geneva ServerAn open platform that provides user access and single sign-on for on-premises and cloud based applicationsIt is an Enterprise Identity Provider and IssuerExposes a Security Token Service
Relying PartyAn application that relies on claims is a claims-based application. Relying Party Security Token Service (RP-STS)
SharePoint as a Claims-based applicationSharePoint STS is always relying party STS Built on Windows Identity Foundation (WIF)Multiple authentication typesIdentity Provider neutralConfigured via Central Admin or PowerShell Delegation of user identity between service applications.
SharePoint STSSharePoint Secure Token ServiceUses Windows Identity FoundationSecurity Token (SAML 1.1)encapsulates assertionsattributes specified by a policyEnables authorizationAuthenticates user (FBA scenario only)Issued by STS
SharePoint Claims OverviewSharePoint STSIP-STSTrustWeb AppSend tokenIssue tokenIssue tokenSend tokenAuthenticateSend Cookie
Administration
Identity Normalization-Classic-ClaimsNT TokenWindows IdentityNT TokenWindows IdentitySAMLADFS, etc.ASP.Net (FBA)SAL, LDAP, Custom …SAML TokenClaims Based IdentitySPUser
Configure Authentication
Configure Authentication
Authentication Providers
Administrationdemo
Incoming Claims – Sign In
Sign-inScenariosSign-in to SharePoint with both Windows and LDAP directory IdentityEasily configure Intranet and Extranet users for CollaborationIntegrate with other customer identity systems (eg. ADFS, etc.)Use Office Applications with non-Windows Authentication
Sign-in
Mixed mode vs multi-auth
Office non-Windows sign-in
Claims ProvidersRetrieve and expose claims For augmentationInsert claims into the Security TokenFor setting permissionsgive access to “all folks 60 and above” Deployed via WSP (Farm Scope)Registration available in PowerShell only
Claims Picker
Incoming Claimsdemo
What changed in SharePoint 2010FBA users are Claims IdentitiesClaims identity is created instead of ASP.Net Generic identitySTS calls membership provider to validate user and issues a claims tokenRoles are converted to claimsMixed mode environmentsAll principals are available in all zonesUtilizing Claims to authorize access
Outgoing Claims - Services
Services ScenariosShow user’s PayStub in LOB data without credentials (intranet)Show real-time order status from supplier inside the enterprise Portal (extranet or internet)Securely deploy SharePoint farm(s) for user identity delegation
Interoperating w/ ServicesWeb Front EndWindows IdentityClaims IdentitySign-InWeb part, etc.SharePoint STSSAML/OAuth1Windows IdentityFramework2Client Proxy{Token}3WS-*/SAML4TrustClaims TokenSAMLApp Server{Claims Principal}SharePoint STSWindows Identity Framework5Service AuthorizationKerberos C/DSharePoint Service6C2WTS*CredentialsLegacyLOBSecure Store Service*C2WTS = Claims to Windows Token Service
Simple External ListLOB ApplicationSharePointSP STSWeb ServiceTrust4352External ListLOB Data SourceBCS167
X-Boundary ServicesLOB ApplicationSharePointEnterprise STSSP STSEnterprise STSTrust2Web Service3LOB Data Source5BCSInternetExternal List1467
Forms Based AuthenticationExposed through Claims ModeImplemented as a Claims ProviderUpgradeInplace – ACLS updated, web.config notDBAttach – ACLs updated, no need to update configProvider Neutrale.g. SQL, LDAP etc
What changed in FBAFBA users are exposed through ClaimsClaims identity is created instead of generic identitySTS talks to membership provider to validate user and issues a claims tokenValidateUser() must be implemented by membership providersRoles are converted to claimsMixed mode environments
SharePoint Server installationSetup will remain the sameWindows Classic auth will be enabled by default:This means that auth won’t be part of setup UIIn admin pages the user will be able to modify settings of claims auth and/or add more sign-in methodsIn upgrade scenario we won’t switch to claims auth by default
Configure / Upgrade FBA sitesSetup FBA-Claims (improved flow)Create authentication providerCreate or configure existing web app to use that authentication providerAdd membership / role provider entries toCentral admin web.configWeb app web.configSTS web.configUpgrade FBA web applicationsUser must update web.config(s)Set the web app/zone to FBA-Claims to trigger user migration
Why 3 web.config locations?Central adminNeeds the references of all providers to enable picking of principals from any providerSTS web.config (Security Token Service app)Needs the references of all providers in order toAuthenticate userGet roles of user (which are converted to claims) FBA Web application web.configNeeds “system claims membership provider” Automatically configured OOB during installCustomer defined membership / role providerTo enable picking of FBA users & roles
Web.config example<Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="LdapMembershipProvider,…               server="redmond.corp.microsoft.com"              port="389"              …/>  </providers> </membership> <roleManager enabled="true" defaultProvider=“MyRoleProv" >   <providers>  <add name="roleManager“ type="LdapRoleProvider, …             server="redmond.corp.microsoft.com"              …   </providers> </roleManager>
Upgrade FBA: Powershell sample>$ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager">$wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount“domain\appool"-Url http://servername -Port 80 -AuthenticationProvider $ap*Note The ApplicationPoolAccount needs to be a managed account on the farmModify the Web.config files (Central Admin, Security Token Service, Forms Web App)
BenefitsSupport existing Identity infrastructureActive DirectoryLDAP, SQLFederation GatewaysWebSSO and Identity Management systemsEnable automatic, secure identity delegationSupport “no-credential” connections to External web servicesConsistent API to develop SharePoint solutions
ResourcesA Guide to Claims-Based Identity and Access Control — Book Download (http://www.microsoft.com/downloads/details.aspx?FamilyID=4c09ffe4-43dd-4fcc-be35-c897c9bc4386&displaylang=en)Walkthrough: Writing a Claims Provider (http://msdn.microsoft.com/en-us/library/ff699494.aspx)Share-n-dipity(Steve Peschka’s Blog) (http://blogs.technet.com/b/speschka/)
Key TakeawaysNEW way of Identity in SharePointBuilt on Standards for interoperabilityOffice Client support for non-Windows Auth
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related Content

PPTX
Extending SharePoint 2010 to your customers and partners
Corey Roth
 
PPTX
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
PPTX
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
PPTX
SharePoint 2013 and ADFS
Natallia Makarevich
 
PPTX
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
PDF
e-SUAP - Security - Windows azure access control list (english version)
Sabino Labarile
 
PPTX
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
EPC Group
 
PDF
Single Sign-On Best Practices
Salesforce Developers
 
Extending SharePoint 2010 to your customers and partners
Corey Roth
 
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
SharePoint 2013 and ADFS
Natallia Makarevich
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
e-SUAP - Security - Windows azure access control list (english version)
Sabino Labarile
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
EPC Group
 
Single Sign-On Best Practices
Salesforce Developers
 

What's hot (14)

PPT
Ad fs
Iván Sanchez Vera
 
PDF
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
PDF
Series of Visual Flow Diagrams
Mike Reams
 
DOC
TMCnet final
Heather Tomlin
 
PDF
Ubisecure release spring_2014_use cases_sls
Charles Sederholm
 
PPTX
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
PDF
RESTful Day 5
Akhil Mittal
 
PDF
Claim based authentaication
Sean Xiong
 
DOCX
SAML 2
Steward_John
 
PPT
Siebel Web Service
NAVINKUMAR RAI
 
PPTX
Creating a Sign On with Open id connect
Derek Binkley
 
PDF
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
PDF
Microsoft mobile services
Maksym Davydov
 
PPT
Oracle World 2002 Leverage Web Services in E-Business Applications
Rajesh Raheja
 
Ad fs
Iván Sanchez Vera
 
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
Series of Visual Flow Diagrams
Mike Reams
 
TMCnet final
Heather Tomlin
 
Ubisecure release spring_2014_use cases_sls
Charles Sederholm
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
RESTful Day 5
Akhil Mittal
 
Claim based authentaication
Sean Xiong
 
SAML 2
Steward_John
 
Siebel Web Service
NAVINKUMAR RAI
 
Creating a Sign On with Open id connect
Derek Binkley
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
Microsoft mobile services
Maksym Davydov
 
Oracle World 2002 Leverage Web Services in E-Business Applications
Rajesh Raheja
 
Ad

Similar to Claims Based Identity In Share Point 2010 (20)

PPTX
AAD B2C custom policies
Rory Braybrook
 
PPT
Intro to AppExchange - Building Composite Apps
dreamforce2006
 
PPTX
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
 
PPTX
Integrating Force.com with Heroku
Pat Patterson
 
PPTX
SharePoint 2010 authentications
Wyngate Solutions
 
PPT
Luminis Iv To Exchange Labs
Melissa Miller
 
PPT
SOA Security - So What?
Oliver Pfaff
 
PDF
Understanding Claim based Authentication
Mohammad Yousri
 
PPT
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
Lucas Jellema
 
PPT
Extending Oracle SSO
kurtvm
 
PDF
Dave Carroll Application Services Salesforce
deimos
 
PDF
Office 365 identity
Motty Ben Atia
 
PPT
Bh Win 03 Rileybollefer
Timothy Bollefer
 
PPT
DIWD Concordia
Paul Madsen
 
PDF
Authentication with OAuth and Connected Apps
Salesforce Developers
 
PPT
Implementation of ssl injava
tanujagrawal
 
PDF
How to use Informatica Power Center as a RESTful Web Service Client?
AmeliaWong21
 
PDF
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PDF
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
PPTX
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
AAD B2C custom policies
Rory Braybrook
 
Intro to AppExchange - Building Composite Apps
dreamforce2006
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
 
Integrating Force.com with Heroku
Pat Patterson
 
SharePoint 2010 authentications
Wyngate Solutions
 
Luminis Iv To Exchange Labs
Melissa Miller
 
SOA Security - So What?
Oliver Pfaff
 
Understanding Claim based Authentication
Mohammad Yousri
 
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
Lucas Jellema
 
Extending Oracle SSO
kurtvm
 
Dave Carroll Application Services Salesforce
deimos
 
Office 365 identity
Motty Ben Atia
 
Bh Win 03 Rileybollefer
Timothy Bollefer
 
DIWD Concordia
Paul Madsen
 
Authentication with OAuth and Connected Apps
Salesforce Developers
 
Implementation of ssl injava
tanujagrawal
 
How to use Informatica Power Center as a RESTful Web Service Client?
AmeliaWong21
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
Ad

Claims Based Identity In Share Point 2010

  • 1. Claims based Identity in SharePoint 2010Chyan Yee GohConsultantMicrosoft Singapore
  • 2. AgendaClaims Identity ModelSharePoint as a Claims-Based ApplicationIncoming vs. Outgoing claimsConfiguring Claims
  • 3. But first, a quick Primer
  • 4. Identity and Identity ProvidersYour Digital Persona composing of attributes/identifiers
  • 6. Identity vs ClaimsAn Identity is a set of attributes to describe a user such as name, e-mail, age, group membership, etc.A Claim is issued by some authority that claims to have the attribute and its valueVS
  • 7. User Identity is a set of claimsFor authorization decisions, your app needs to decide which “claim” you will trust.Trustdepends on scenario not on technical capability
  • 8. The AirportBirth RecordsAirlineICATrustGate AgentPassportPassportNeed PassportBoarding PassBoarding Pass
  • 9. Issuers and Security TokensIssues security tokensCollection of claimsFormats - SAML
  • 10. Security Token Service (STS)Web Service that issues claims and packages security tokens.Supports multiple credential typesIP-STS and RP-STS.An IP-STS is an STS that issues tokens that can be used to request service tokens from RP-STSs. An RP-STS can also consume other types of tokens (or credentials), for example an NT token that comes from the domain controller or the (KDC)STSs can be chainedAn STS is not always a web service: passive profile
  • 11. Active Directory Federation Services v2.0 aka Geneva ServerAn open platform that provides user access and single sign-on for on-premises and cloud based applicationsIt is an Enterprise Identity Provider and IssuerExposes a Security Token Service
  • 12. Relying PartyAn application that relies on claims is a claims-based application. Relying Party Security Token Service (RP-STS)
  • 13. SharePoint as a Claims-based applicationSharePoint STS is always relying party STS Built on Windows Identity Foundation (WIF)Multiple authentication typesIdentity Provider neutralConfigured via Central Admin or PowerShell Delegation of user identity between service applications.
  • 14. SharePoint STSSharePoint Secure Token ServiceUses Windows Identity FoundationSecurity Token (SAML 1.1)encapsulates assertionsattributes specified by a policyEnables authorizationAuthenticates user (FBA scenario only)Issued by STS
  • 15. SharePoint Claims OverviewSharePoint STSIP-STSTrustWeb AppSend tokenIssue tokenIssue tokenSend tokenAuthenticateSend Cookie
  • 17. Identity Normalization-Classic-ClaimsNT TokenWindows IdentityNT TokenWindows IdentitySAMLADFS, etc.ASP.Net (FBA)SAL, LDAP, Custom …SAML TokenClaims Based IdentitySPUser
  • 23. Sign-inScenariosSign-in to SharePoint with both Windows and LDAP directory IdentityEasily configure Intranet and Extranet users for CollaborationIntegrate with other customer identity systems (eg. ADFS, etc.)Use Office Applications with non-Windows Authentication
  • 25. Mixed mode vs multi-auth
  • 27. Claims ProvidersRetrieve and expose claims For augmentationInsert claims into the Security TokenFor setting permissionsgive access to “all folks 60 and above” Deployed via WSP (Farm Scope)Registration available in PowerShell only
  • 30. What changed in SharePoint 2010FBA users are Claims IdentitiesClaims identity is created instead of ASP.Net Generic identitySTS calls membership provider to validate user and issues a claims tokenRoles are converted to claimsMixed mode environmentsAll principals are available in all zonesUtilizing Claims to authorize access
  • 31. Outgoing Claims - Services
  • 32. Services ScenariosShow user’s PayStub in LOB data without credentials (intranet)Show real-time order status from supplier inside the enterprise Portal (extranet or internet)Securely deploy SharePoint farm(s) for user identity delegation
  • 33. Interoperating w/ ServicesWeb Front EndWindows IdentityClaims IdentitySign-InWeb part, etc.SharePoint STSSAML/OAuth1Windows IdentityFramework2Client Proxy{Token}3WS-*/SAML4TrustClaims TokenSAMLApp Server{Claims Principal}SharePoint STSWindows Identity Framework5Service AuthorizationKerberos C/DSharePoint Service6C2WTS*CredentialsLegacyLOBSecure Store Service*C2WTS = Claims to Windows Token Service
  • 34. Simple External ListLOB ApplicationSharePointSP STSWeb ServiceTrust4352External ListLOB Data SourceBCS167
  • 35. X-Boundary ServicesLOB ApplicationSharePointEnterprise STSSP STSEnterprise STSTrust2Web Service3LOB Data Source5BCSInternetExternal List1467
  • 36. Forms Based AuthenticationExposed through Claims ModeImplemented as a Claims ProviderUpgradeInplace – ACLS updated, web.config notDBAttach – ACLs updated, no need to update configProvider Neutrale.g. SQL, LDAP etc
  • 37. What changed in FBAFBA users are exposed through ClaimsClaims identity is created instead of generic identitySTS talks to membership provider to validate user and issues a claims tokenValidateUser() must be implemented by membership providersRoles are converted to claimsMixed mode environments
  • 38. SharePoint Server installationSetup will remain the sameWindows Classic auth will be enabled by default:This means that auth won’t be part of setup UIIn admin pages the user will be able to modify settings of claims auth and/or add more sign-in methodsIn upgrade scenario we won’t switch to claims auth by default
  • 39. Configure / Upgrade FBA sitesSetup FBA-Claims (improved flow)Create authentication providerCreate or configure existing web app to use that authentication providerAdd membership / role provider entries toCentral admin web.configWeb app web.configSTS web.configUpgrade FBA web applicationsUser must update web.config(s)Set the web app/zone to FBA-Claims to trigger user migration
  • 40. Why 3 web.config locations?Central adminNeeds the references of all providers to enable picking of principals from any providerSTS web.config (Security Token Service app)Needs the references of all providers in order toAuthenticate userGet roles of user (which are converted to claims) FBA Web application web.configNeeds “system claims membership provider” Automatically configured OOB during installCustomer defined membership / role providerTo enable picking of FBA users & roles
  • 41. Web.config example<Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="LdapMembershipProvider,…               server="redmond.corp.microsoft.com"              port="389"              …/>  </providers> </membership> <roleManager enabled="true" defaultProvider=“MyRoleProv" >   <providers>  <add name="roleManager“ type="LdapRoleProvider, …             server="redmond.corp.microsoft.com"              …   </providers> </roleManager>
  • 42. Upgrade FBA: Powershell sample>$ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager">$wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount“domain\appool"-Url http://servername -Port 80 -AuthenticationProvider $ap*Note The ApplicationPoolAccount needs to be a managed account on the farmModify the Web.config files (Central Admin, Security Token Service, Forms Web App)
  • 43. BenefitsSupport existing Identity infrastructureActive DirectoryLDAP, SQLFederation GatewaysWebSSO and Identity Management systemsEnable automatic, secure identity delegationSupport “no-credential” connections to External web servicesConsistent API to develop SharePoint solutions
  • 44. ResourcesA Guide to Claims-Based Identity and Access Control — Book Download (http://www.microsoft.com/downloads/details.aspx?FamilyID=4c09ffe4-43dd-4fcc-be35-c897c9bc4386&displaylang=en)Walkthrough: Writing a Claims Provider (http://msdn.microsoft.com/en-us/library/ff699494.aspx)Share-n-dipity(Steve Peschka’s Blog) (http://blogs.technet.com/b/speschka/)
  • 45. Key TakeawaysNEW way of Identity in SharePointBuilt on Standards for interoperabilityOffice Client support for non-Windows Auth
  • 46. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.