How Claims is Changing the Way We Authenticate and Authorize in SharePoint

Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
How Claims is Changing the Way
We Authenticate and Authorize
in SharePoint
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.
About Protiviti
INDIA (3)
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in
over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We
also work with smaller, growing companies, including those looking to go public, as well as with government
agencies.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert
Half International is a member of the S&P 500 index.
• 2,500+
professionals
• 1,000+ clients
• 70+ offices
• Over 20
countries in
the Americas,
Europe and
Asia-Pacific
Protiviti is one of
the fastest
growing
consulting firms
worldwide. Our
revenues have
increased from
US $15 million in
2002, to US
$423.8 million in
2011.

• Introduction to the Concept of Claims
– Types of Claims Retrieved – How do I know which ones?
• Authentication vs Authorization
– Claims Based Authentication
– Using Claims for Authorization
– Permissions
– People Picker
• Architecture and Trusted Identity Providers
– Enabling Claims Based Authorization with Trusted Identity Providers
– Customizing Claims Authentication Process
– Augmenting Claims with Custom Claim Providers
• Common Customer Needs and Scenarios
Agenda

• User attributes
• Metadata about a user
• AD attributes/LDAP attributes
What is a Claim?
What’s Missing?

Trust!

What is a Claim?
Claims are trusted assertions I make about myself
– Identity attributes retrieved from a trusted identity provider
– Digitally signed so that I can verify the identity provider
– Packaged and signed in a standards-based way (ex. SAML)
(SAML = Security Assertion Markup Language)
Allow me to take my identity across network
boundaries in a trusted and secure way!

• Name Antonio Maio
• Email antonio.maio@protiviti.com
• Company, Department Protiviti, SharePoint Practice
• Security Clearance Secret (Canada)
• Military Rank <none>
• Employment Status FTE
• Over 18 Years Old Yes
• Valid Driver’s License Yes
• Country of Birth Canada
• Citizenship Canadian, Italian
• Residence Dallas, Texas, USA
Consider, why do you trust them?
Claims About Me

Authentication
The process of determining that someone is who they say they are
• Typically done today through username/password
SharePoint 2013 – Claims Based Authentication is the default Auth’n method
• New Web Applications are Claims Enabled
• Classic Mode authentication has been deprecated - Only thru PowerShell
How do Claims all us to go beyond classic authentication?
 Single Sign-On across systems in different domains
 Federate between SharePoint On Premise and O365
 Verify additional info about a user during the authentication process
 Required for new SharePoint 2013 features like Server-server Auth,
App Authentication

Configuring Claims Based Authentication
• Central Admin > Manage Web
Applications > New Web Application
• By default claims enabled
• SSL is required for most scenarios
• Trusted identity providers
• Server to Server Authentication
• App Authentication
• Select your Authentication Protocol
• Windows Auth: NTLM or Kerberos
• Forms Based
• Trusted Identity Provider (SAML)
or some combination…

Configuring Claims Based Authentication
PowerShell
• Ensure you have the correct permissions
(securityadmin and dbowner on DB, part of administrators group on server)
• Sample:
$ap = New-SPAuthenticationProvider
New-SPWebApplication -Name "Contoso Internet Site" -Port 443 -HostHeader sharepoint.contoso.com -
URL "https://www.contoso.com" -ApplicationPool "ContosoAppPool" -ApplicationPoolAccount (Get-
SPManagedAccount "DOMAINjdoe") -AuthenticationProvider $ap -SecureSocketsLayer
New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> -ApplicationPoolAccount
<ApplicationPoolAccount> -URL <URL> -Port <Port> -AuthenticationProvider $ap
Where:
<Name> is the name of the new web application that uses claims-based authentication.
<ApplicationPool> is the name of the application pool.
<ApplicationPoolAccount> is the user account that this application pool will run as.
<URL> is the public URL for this web application.
<Port> is the port on which the web application will be created in IIS.

Types of Claims Retrieved
• Standard Claims
– Only claims retrieved when using
NTLM/Kerberos
– Only claims supported through Office
365/SharePoint Online
• Custom Claims
– Trusted Identity Provider required:
ADFS, Ping Federate, Thinktecture, etc.
Name identifier
Primary SID
Primary Group
SID
UPN
User Logon Name
User ID
Name
Identity
Provider
Name Issuer
Is
Authenticated
Farm ID
Role
Group SID

How do I know which claims were
retrieved?
• Use the SharePoint Claims Web Part developed by
Steve Peschka
Download and Configuration instructions available here:
http://www.trustsharepoint.com/2013/04/how-do-i-know-which-claims-were.html

Authorization
Determining what resources users are permitted to access and
what actions they’re permitted to perform
• Typically through permissions in SharePoint
• How do claims allow us to go beyond simple Permissions?
 Be specific to the user
 Be done without knowing who the user is
 Be dynamic – ex. changes in a user’s security clearance are reflected
 Include environmental attributes (current time, GEO location, connection
type, etc.)
 Be an alternative to security groups – Groups do not scale
 Example: user must be part of GroupA and GroupB and GroupC to access a
resources

Simple Permission Examples
Users and Groups
• Finance AD Group has Full Control on Library A
• ProjectXContractor SP Group has Read access on site B
• Antonio.Maio AD user has Contribute access on Document C
Principle
(user or group)
Permission Level
(collection of permissions)
Information Object
(item or container)

Permission Examples: Claims
• Remember: Claims are trusted attributes about a user
• May assign a Claim as part of a permission to an object or
container (just like a user or group)
• ‘SecurityClearance=Secret’ has Full Control access on Document X
• ‘ITARCleared=True’ has Read access on Library Y
• ‘EmploymentStatus=FTE’ has Contribute access on Site Z
Principle
(a claim in this case)
Permission Level
(collection of permissions)
Information Object
(item or container)

People Picker
1. Type the value of the claim in the Find
field (Top Secret in our example)
Note: people picker cannot resolve values. Typos will
appear here as if they are valid values. It will display
multiple valid selections for your value, one for each
claim type available.
2. Next, you select the attribute type in
the All Search Results list on the left
side – in our case we select Clearance.
3. The list on the right side will then
reduce the view to one selection for
the attribute type selected. Select that
attribute type in the right list now.
4. Click the Add button, and then click OK

People Picker and Assigning Permission
• Once the claim is selected it
can be assigned as a
permission with a permission
level to some securable
object

Enabling Claims Based Authorization
 Planning Required
 Driven by a need to secure information at more granular level
 Standard Claims Typically are Not Sufficient
 Determining policies, claims, getting stakeholders to agree, etc.
 Which trusted identity provider? Which attribute store?
 Infrastructure Required
 Storing, managing, retrieving, transforming, trusting claims
 Configuration Required
 Deploying Identity Provider, Connecting it to SharePoint, Configuring
Trust, Sign-in, Claims Rules

Enabling Claims Based Authorization
 High Level Steps
1. Create the SharePoint 2013 Web Application
2. Install and Configure an STS Server (Secure Token Server)
• Ex. Deploy ADFS, Domain Joined Server (possibly a farm)
3. Configure STS with the SharePoint web application as a Relying Party
• Configuration within ADFS
4. Configure SharePoint 2013 to trust STS as an Identity Provider
• Import ADFS Token Signing Certificate into IIS on SharePoint
• Use PowerShell to configure ADFS as Trusted Provider
5. Configure SharePoint Web Application to use Claims Based
Authentication and STS as the Trusted Identity Provider
• Within Central Admin

Relying
Party (RP)
Trusted Identity Provider (IP)
SharePoint
2013
Client System
Ex. web browser
Secure Token Server (STS)
EX. Active Directory
Federation Services
(ADFS)
Identity Store,
Attribute Store,
(AD, Database or
Directory)
3. Authenticate User,
Get info (claims)
about user
Token with
Claims
Format:
SAML/WS-Fed
4. Authenticated user,
attributes retrieved &
STS creates token
1. Sign In Page
5. User is authenticated
and SharePoint 2010
now has user’s claims &
knows it can trust them
Claims Based Auth’n/Auth’r Architecture
2. Requests authentication
(thru username/password)
and a token
Browser Redirect

Relying
Party (RP)
SharePoint
2013
Client System
Ex. web browser
Federation Services
(ADFS)
Identity Store,
Attribute Store,
(AD, Database or
Directory)
Get info (claims)
about user
Token with
Claims
Format:
SAML/WS-Fed
STS creates token
1. Sign In Page
5. User is authenticated
and SharePoint 2010
now has user’s claims &
knows it can trust them
Customizing Claims Authentication Process
2. Requests authentication
(thru username/password)
and a token
Browser Redirect
Custom Claim Provider
Custom Claim Provider
…
Claim Rule
Claim Rule
…
SQL DB,
LDAP, PKI
etc…
iAttributeStore …

• Select a Standards-based Identity Provider (SAML)
– Active Directory Federation Services 2.0 or later
• Supports full SAML 1.1 and 2.0 Tokens and Protocol
• Supports WS-Federation Tokens and Protocol
• SharePoint 2010/2013 use SAML 1.1 tokens and SAML 2.0 protocol
• Must authenticate against Active Directory
– Ping Federate (Commercial)
– Thinktecture (Open Source)
Trusted Identity Providers
Federation Services
(ADFS)
Identity Store,
Attribute Store,
(AD, Database or
Directory)
Get info (claims)
about user
Token with
Claims
Format:
SAML/WS-Fed
STS creates token

Augmenting Claims - Custom Claim Providers
• Used to Augment User Claims and Customize People Picker
• SharePoint farm level feature
• Can deploy more than one
• Called after user is authenticated
…and after Trusted Identity Provider has already returned claims
– Built on top of WIF (Windows Identity Framework)
– Used to augment claims or transform claims
– Used to customize the People Picker (ex. resolving claims through user search)

Custom Claim Provider Deployment
• Deployed as a Farm Level Feature Receiver – requires more code
– Must inherit from SPClaimProviderFeatureReceiver (lots of examples)
• Can deploy multiple claim providers
– Called in order of deployment
• Once deployed - Available in every web app, in very zone
– Can cause performance issues
– When user logs in, all Custom Claim Providers deployed get called
• Set IsUsedByDefault property in Feature Receiver Def'n to False
• Turn it on manually for required web apps

Common Customer Needs
• How do I secure access to sensitive information just to certain
people and only under certain conditions?
– (More) Fine Grained Access Control
– Sensitive content sitting beside non-sensitive content
• I have compliance requirements about who can access certain
types of data and when
– How do I enforce that without stopping business?

What Types of Claims are Useful?
• Military, Intelligence, Government Defense
– Security Clearance, Caveats, Communities of Interest
– Need to Know
• Commercial
– Department, Team or Role
– Current Date/Time, Current Device (BYOD)
– Group Membership with multiple groups
– Partner ID or Business ID (in partner extranet scenarios)
• Aerospace/Defense Contracting
– Nationality + Current Location
• Homeland Security
– Agency (law enforcement, emergency response, public health…)
– Scope or Level (local, state, federal), Current Threat Level

Intelligence Military Examples
Classification
Caveats
Need to Know
Security Clearance
Caveats
Groups
Has All
Has All
Has Minimum
Classification
Topics
Restrictions
Communities
Security Clearance
Topics
Restrictions
Communities
Has Minimum
Has Any
Not Have Any
Has All

Commercial Example
• Claim: Employee Status
• Document Metadata: Classification (HBI, MBI, LBI)
If employee.status = FTE and document.classification = HBI
Then permit access to document
If employee.status = Contract and document.classification = HBI
Then deny access to document

Government Example
• Claim: Client Case Numbers
• Document Metadata: Document Case Number
If document.case=X AND client.casenumbers includes X
Then permit access to document
If document.case=X AND client.casenumbers DOES NOT includes X
Then deny access to document

Summary
• Claims Based Authentication/Authorization still a new topic for many
people
– Allows us to take our identities across network boundaries in a trusted and
secure
– Enabling our move to the cloud – required for Identity Federation
• Claims Based Authentication is Default in SharePoint 2013
– Classic Mode is Deprecated (Still there in 2013 but will likely go away next
version)
• Claims are great tool for Enterprise-Grade Authentication and
Authorization
– Infrastructure and Planning Required to take advantage of it
– Leading SharePoint deployments in businesses, government and military to
more fine grained authorization

• 7th Annual Conference
• 6 SharePoint MVPs presenting
• Full-Day Training Workshops pre and post conference
• Separate tracks for Business Users, Technical Users & UX Professionals
• Government, Association, Nonprofit & Group Discounts Available
Get 15% off! Use: PRO15 when registering
Learn More & Register at SharePointConference.org
Dallas, TX
October 20, 2014

Antonio Maio
Protiviti, Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Thank You!
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2

How Claims is Changing the Way We Authenticate and Authorize in SharePoint

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to How Claims is Changing the Way We Authenticate and Authorize in SharePoint (20)

More from AntonioMaio2 (17)

Recently uploaded (20)

How Claims is Changing the Way We Authenticate and Authorize in SharePoint