ESPC15 - Extending Authentication and Authorization
Download as PPTX, PDF0 likes3,790 views
The document discusses authentication and authorization in SharePoint, focusing on claims-based authentication and the role of claims and identity providers. It explains various SharePoint authentication options, including federated authentication and how claims can be transformed and utilized for user identity. The document emphasizes the importance of understanding claims-based identity as a means to decouple user authentication from user identity.
ESPC15 - Extending Authentication and Authorization
- 2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
- 3. Agenda • SharePoint, Authentication and Authorization • Claims • Claims-based Authentication • Claims-based Authorization • Claims Augmentation and Transformation • Claims Providers • Federated Authentication
- 4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization
- 5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
- 6. SharePoint Authorization • Associated with principals • Authenticated users • Groups (SharePoint or AD) • Claims • App Add-in identities
- 7. SharePoint 2013 Authentication Options • “Classic” Windows • Deprecated • Claims-based • Windows tokens • FBA • SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
- 8. App Add-In Authentication • Add-ins have identity and can be assigned permissions • Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate • Low-trust add-ins use 3-legged OAuth (with ACS broker) • High-trust add-ins use self-signed tokens
- 9. Claims • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples • Employee badge • Name, department, clearance • Boarding passes • Flight, seat, class, name • Paper Wristbands • Ticket type, extra services
- 10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
- 11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.org /ws/2005/05/identity/claim s/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.org /ws/2008/06/identity/claim s/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.org /ws/2005/05identity/claims /upn ekapic@demo.local SharePoint Windows http://schemas.microsoft.co m/sharepoint/2009/08/clai ms/userid 0#.w|demoekapic SharePoint SecurityTokenService
- 12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
- 13. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
- 14. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class
- 15. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
- 17. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed
- 18. Federated Authentication • ID cards or passports are real-world examples of federated authentication
- 19. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
- 20. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
- 21. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
- 22. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
- 24. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
- 25. Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en-us/library/ff423674.aspx
- 26. Thank you! Tack så mycket!
Editor's Notes
- #2: In the two latest versions of SharePoint, we have seen how Claims-based authentication have taken over the traditional Windows and FBA authentication. Now we have federated identity with services such as Active Directory Federation Services (ADFS) and Azure Active Directory (AAD) and the authorization is handled by OAuth in the app model. But still, the vast majority of the deployments still use plain vanilla AD or LDAP authentication, without exploiting its flexibility and adaptability to a variety of scenarios. In this session you will learn how to extend the authentication and authorization with custom claim providers, claim augmentation and transformation. In this session you will: - Acquaint yourself with the authorization/authentication mechanism in SharePoint/Office 365 - Learn how to extend and adapt the authentication/authorization to fit your needs - Get to know the benefits of using ADFS for identity federation