SlideShare una empresa de Scribd logo

Claims Based Identity In Share Point 2010

Steve Sofian
Steve Sofian
1 de 46
Claims based Identity in SharePoint 2010 Chyan Yee Goh Consultant Microsoft Singapore
Agenda Claims Identity Model SharePoint as a Claims-Based Application Incoming vs. Outgoing claims Configuring Claims
But first, a quick Primer
Identity and Identity Providers Your Digital Persona composing of attributes/identifiers
Claim
Identity vs Claims An Identity is a set of attributes to describe a user such as name, e-mail, age, group membership, etc. A Claim is issued by some authority that claims to have the attribute and its value VS
User Identity is a set of claims For authorization decisions, your app needs to decide which “claim” you will trust. Trustdepends on scenario not on technical capability
The Airport Birth Records Airline ICA Trust Gate Agent Passport Passport Need Passport Boarding Pass Boarding Pass
Issuers and Security Tokens Issues security tokens Collection of claims Formats - SAML
Security Token Service (STS) Web Service that issues claims and packages security tokens. Supports multiple credential types IP-STS and RP-STS. An IP-STS is an STS that issues tokens that can be used to request service tokens from RP-STSs. An RP-STS can also consume other types of tokens (or credentials), for example an NT token that comes from the domain controller or the (KDC) STSs can be chained An STS is not always a web service: passive profile
Active Directory Federation Services v2.0 aka Geneva Server An open platform that provides user access and single sign-on for on-premises and cloud based applications It is an Enterprise Identity Provider and Issuer Exposes a Security Token Service
Relying Party An application that relies on claims is a claims-based application. Relying Party Security Token Service (RP-STS)
SharePoint as a Claims-based application SharePoint STS is always relying party STS Built on Windows Identity Foundation (WIF) Multiple authentication types Identity Provider neutral Configured via Central Admin or PowerShell Delegation of user identity between service applications.
SharePoint STS SharePoint Secure Token Service Uses Windows Identity Foundation Security Token (SAML 1.1) encapsulates assertions attributes specified by a policy Enables authorization Authenticates user (FBA scenario only) Issued by STS
SharePoint Claims Overview SharePoint STS IP-STS Trust Web App Send token Issue token Issue token Send token Authenticate Send Cookie
Administration
Identity Normalization -Classic -Claims NT TokenWindows Identity NT TokenWindows Identity SAMLADFS, etc. ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser
Configure Authentication
Configure Authentication
Authentication Providers
Administration demo
Incoming Claims – Sign In
Sign-inScenarios Sign-in to SharePoint with both Windows and LDAP directory Identity Easily configure Intranet and Extranet users for Collaboration Integrate with other customer identity systems (eg. ADFS, etc.) Use Office Applications with non-Windows Authentication
Sign-in
Mixed mode vs multi-auth
Office non-Windows sign-in
Claims Providers Retrieve and expose claims For augmentation Insert claims into the Security Token For setting permissions give access to “all folks 60 and above” Deployed via WSP (Farm Scope) Registration available in PowerShell only
Claims Picker
Incoming Claims demo
What changed in SharePoint 2010 FBA users are Claims Identities Claims identity is created instead of ASP.Net Generic identity STS calls membership provider to validate user and issues a claims token Roles are converted to claims Mixed mode environments All principals are available in all zones Utilizing Claims to authorize access
Outgoing Claims - Services
Services Scenarios Show user’s PayStub in LOB data without credentials (intranet) Show real-time order status from supplier inside the enterprise Portal (extranet or internet) Securely deploy SharePoint farm(s) for user identity delegation
Interoperating w/ Services Web Front End Windows Identity Claims Identity Sign-In Web part, etc. SharePoint STS SAML/OAuth 1 Windows Identity Framework 2 Client Proxy {Token} 3 WS-*/SAML 4 Trust Claims Token SAML App Server {Claims Principal} SharePoint STS Windows Identity Framework 5 Service Authorization Kerberos C/D SharePoint Service 6 C2WTS* Credentials Legacy LOB Secure Store Service *C2WTS = Claims to Windows Token Service
Simple External List LOB Application SharePoint SP STS Web Service Trust 4 3 5 2 External List LOB Data Source BCS 1 6 7
X-Boundary Services LOB Application SharePoint Enterprise STS SP STS Enterprise STS Trust 2 Web Service 3 LOB Data Source 5 BCS Internet External List 1 4 6 7
Forms Based Authentication Exposed through Claims Mode Implemented as a Claims Provider Upgrade Inplace – ACLS updated, web.config not DBAttach – ACLs updated, no need to update config Provider Neutral e.g. SQL, LDAP etc
What changed in FBA FBA users are exposed through Claims Claims identity is created instead of generic identity STS talks to membership provider to validate user and issues a claims token ValidateUser() must be implemented by membership providers Roles are converted to claims Mixed mode environments
SharePoint Server installation Setup will remain the same Windows Classic auth will be enabled by default: This means that auth won’t be part of setup UI In admin pages the user will be able to modify settings of claims auth and/or add more sign-in methods In upgrade scenario we won’t switch to claims auth by default
Configure / Upgrade FBA sites Setup FBA-Claims (improved flow) Create authentication provider Create or configure existing web app to use that authentication provider Add membership / role provider entries to Central admin web.config Web app web.config STS web.config Upgrade FBA web applications User must update web.config(s) Set the web app/zone to FBA-Claims to trigger user migration
Why 3 web.config locations? Central admin Needs the references of all providers to enable picking of principals from any provider STS web.config (Security Token Service app) Needs the references of all providers in order to Authenticate user Get roles of user (which are converted to claims) FBA Web application web.config Needs “system claims membership provider” Automatically configured OOB during install Customer defined membership / role provider To enable picking of FBA users & roles
Web.config example <Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider">  <providers>  <add name="membership" type="LdapMembershipProvider,…                server="redmond.corp.microsoft.com"               port="389"               …/>   </providers>  </membership>  <roleManager enabled="true" defaultProvider=“MyRoleProv" >    <providers>   <add name="roleManager“ type="LdapRoleProvider, …              server="redmond.corp.microsoft.com"               …    </providers>  </roleManager>
Upgrade FBA: Powershell sample >$ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager" >$wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount“domainppool"-Url http://servername -Port 80 -AuthenticationProvider $ap *Note The ApplicationPoolAccount needs to be a managed account on the farm Modify the Web.config files (Central Admin, Security Token Service, Forms Web App)
Benefits Support existing Identity infrastructure Active Directory LDAP, SQL Federation Gateways WebSSO and Identity Management systems Enable automatic, secure identity delegation Support “no-credential” connections to External web services Consistent API to develop SharePoint solutions
Resources A Guide to Claims-Based Identity and Access Control — Book Download (http://www.microsoft.com/downloads/details.aspx?FamilyID=4c09ffe4-43dd-4fcc-be35-c897c9bc4386&displaylang=en) Walkthrough: Writing a Claims Provider (http://msdn.microsoft.com/en-us/library/ff699494.aspx) Share-n-dipity(Steve Peschka’s Blog) (http://blogs.technet.com/b/speschka/)
Key Takeaways NEW way of Identity in SharePoint Built on Standards for interoperability Office Client support for non-Windows Auth
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recomendados

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010Spencer Harbar
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveGranikos GmbH & Co. KG
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFSNatallia Makarevich
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 

Recomendados

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010Spencer Harbar
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveGranikos GmbH & Co. KG
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFSNatallia Makarevich
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupEPC Group
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best PracticesSalesforce Developers
 
Ad fs
Ad fsAd fs
Ad fsIván Sanchez Vera
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
Series of Visual Flow Diagrams
Series of Visual Flow DiagramsSeries of Visual Flow Diagrams
Series of Visual Flow DiagramsMike Reams
 
TMCnet final
TMCnet finalTMCnet final
TMCnet finalHeather Tomlin
 
Ubisecure release spring_2014_use cases_sls
Ubisecure release spring_2014_use cases_slsUbisecure release spring_2014_use cases_sls
Ubisecure release spring_2014_use cases_slsCharles Sederholm
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentEdin Kapic
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5Akhil Mittal
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
SharePoint Connector – Setup and Configuration
SharePoint Connector – Setup and ConfigurationSharePoint Connector – Setup and Configuration
SharePoint Connector – Setup and ConfigurationAdobe
 
SAML 2
SAML 2SAML 2
SAML 2Steward_John
 
Siebel Web Service
Siebel Web ServiceSiebel Web Service
Siebel Web ServiceNAVINKUMAR RAI
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Microsoft mobile services
Microsoft mobile servicesMicrosoft mobile services
Microsoft mobile servicesMaksym Davydov
 
AAD B2C custom policies
AAD B2C custom policiesAAD B2C custom policies
AAD B2C custom policiesRory Braybrook
 
Intro to AppExchange - Building Composite Apps
Intro to AppExchange - Building Composite AppsIntro to AppExchange - Building Composite Apps
Intro to AppExchange - Building Composite Appsdreamforce2006
 

Más contenido relacionado

La actualidad más candente

Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupEPC Group
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
Series of Visual Flow Diagrams
Series of Visual Flow DiagramsSeries of Visual Flow Diagrams
Series of Visual Flow DiagramsMike Reams
 
Ubisecure release spring_2014_use cases_sls
Ubisecure release spring_2014_use cases_slsUbisecure release spring_2014_use cases_sls
Ubisecure release spring_2014_use cases_slsCharles Sederholm
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentEdin Kapic
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
SharePoint Connector – Setup and Configuration
SharePoint Connector – Setup and ConfigurationSharePoint Connector – Setup and Configuration
SharePoint Connector – Setup and ConfigurationAdobe
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Microsoft mobile services
Microsoft mobile servicesMicrosoft mobile services
Microsoft mobile servicesMaksym Davydov
 

La actualidad más candente (20)

Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Ad fs
Ad fsAd fs
Ad fs
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
 
Series of Visual Flow Diagrams
Series of Visual Flow DiagramsSeries of Visual Flow Diagrams
Series of Visual Flow Diagrams
 
TMCnet final
TMCnet finalTMCnet final
TMCnet final
 
Ubisecure release spring_2014_use cases_sls
Ubisecure release spring_2014_use cases_slsUbisecure release spring_2014_use cases_sls
Ubisecure release spring_2014_use cases_sls
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
SharePoint Connector – Setup and Configuration
SharePoint Connector – Setup and ConfigurationSharePoint Connector – Setup and Configuration
SharePoint Connector – Setup and Configuration
 
SAML 2
SAML 2SAML 2
SAML 2
 
Siebel Web Service
Siebel Web ServiceSiebel Web Service
Siebel Web Service
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Microsoft mobile services
Microsoft mobile servicesMicrosoft mobile services
Microsoft mobile services
 

Similar a Claims Based Identity In Share Point 2010

AAD B2C custom policies
AAD B2C custom policiesAAD B2C custom policies
AAD B2C custom policiesRory Braybrook
 
Intro to AppExchange - Building Composite Apps
Intro to AppExchange - Building Composite AppsIntro to AppExchange - Building Composite Apps
Intro to AppExchange - Building Composite Appsdreamforce2006
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Integrating Force.com with Heroku
Integrating Force.com with HerokuIntegrating Force.com with Heroku
Integrating Force.com with HerokuPat Patterson
 
SharePoint 2010 authentications
SharePoint 2010 authenticationsSharePoint 2010 authentications
SharePoint 2010 authenticationsWyngate Solutions
 
Luminis Iv To Exchange Labs
Luminis Iv To Exchange LabsLuminis Iv To Exchange Labs
Luminis Iv To Exchange LabsMelissa Miller
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?Oliver Pfaff
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...Lucas Jellema
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Build a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIBuild a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIAmazon Web Services
 
Build a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIBuild a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIAmazon Web Services
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksAmazon Web Services
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injavatanujagrawal
 

Similar a Claims Based Identity In Share Point 2010 (20)

AAD B2C custom policies
AAD B2C custom policiesAAD B2C custom policies
AAD B2C custom policies
 
Intro to AppExchange - Building Composite Apps
Intro to AppExchange - Building Composite AppsIntro to AppExchange - Building Composite Apps
Intro to AppExchange - Building Composite Apps
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Integrating Force.com with Heroku
Integrating Force.com with HerokuIntegrating Force.com with Heroku
Integrating Force.com with Heroku
 
SharePoint 2010 authentications
SharePoint 2010 authenticationsSharePoint 2010 authentications
SharePoint 2010 authentications
 
Luminis Iv To Exchange Labs
Luminis Iv To Exchange LabsLuminis Iv To Exchange Labs
Luminis Iv To Exchange Labs
 
SOA Security - So What?
SOA Security - So What?SOA Security - So What?
SOA Security - So What?
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
Castle in the Clouds: SaaS Enabling JavaServer™ Faces Applications (JavaOne 2...
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
Build a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIBuild a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UI
 
Build a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIBuild a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UI
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
 
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech TalksDeep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected Apps
 
Implementation of ssl injava
Implementation of ssl injavaImplementation of ssl injava
Implementation of ssl injava
 

Claims Based Identity In Share Point 2010

  • 1. Claims based Identity in SharePoint 2010 Chyan Yee Goh Consultant Microsoft Singapore
  • 2. Agenda Claims Identity Model SharePoint as a Claims-Based Application Incoming vs. Outgoing claims Configuring Claims
  • 3. But first, a quick Primer
  • 4. Identity and Identity Providers Your Digital Persona composing of attributes/identifiers
  • 6. Identity vs Claims An Identity is a set of attributes to describe a user such as name, e-mail, age, group membership, etc. A Claim is issued by some authority that claims to have the attribute and its value VS
  • 7. User Identity is a set of claims For authorization decisions, your app needs to decide which “claim” you will trust. Trustdepends on scenario not on technical capability
  • 8. The Airport Birth Records Airline ICA Trust Gate Agent Passport Passport Need Passport Boarding Pass Boarding Pass
  • 9. Issuers and Security Tokens Issues security tokens Collection of claims Formats - SAML
  • 10. Security Token Service (STS) Web Service that issues claims and packages security tokens. Supports multiple credential types IP-STS and RP-STS. An IP-STS is an STS that issues tokens that can be used to request service tokens from RP-STSs. An RP-STS can also consume other types of tokens (or credentials), for example an NT token that comes from the domain controller or the (KDC) STSs can be chained An STS is not always a web service: passive profile
  • 11. Active Directory Federation Services v2.0 aka Geneva Server An open platform that provides user access and single sign-on for on-premises and cloud based applications It is an Enterprise Identity Provider and Issuer Exposes a Security Token Service
  • 12. Relying Party An application that relies on claims is a claims-based application. Relying Party Security Token Service (RP-STS)
  • 13. SharePoint as a Claims-based application SharePoint STS is always relying party STS Built on Windows Identity Foundation (WIF) Multiple authentication types Identity Provider neutral Configured via Central Admin or PowerShell Delegation of user identity between service applications.
  • 14. SharePoint STS SharePoint Secure Token Service Uses Windows Identity Foundation Security Token (SAML 1.1) encapsulates assertions attributes specified by a policy Enables authorization Authenticates user (FBA scenario only) Issued by STS
  • 15. SharePoint Claims Overview SharePoint STS IP-STS Trust Web App Send token Issue token Issue token Send token Authenticate Send Cookie
  • 17. Identity Normalization -Classic -Claims NT TokenWindows Identity NT TokenWindows Identity SAMLADFS, etc. ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser
  • 23. Sign-inScenarios Sign-in to SharePoint with both Windows and LDAP directory Identity Easily configure Intranet and Extranet users for Collaboration Integrate with other customer identity systems (eg. ADFS, etc.) Use Office Applications with non-Windows Authentication
  • 25. Mixed mode vs multi-auth
  • 27. Claims Providers Retrieve and expose claims For augmentation Insert claims into the Security Token For setting permissions give access to “all folks 60 and above” Deployed via WSP (Farm Scope) Registration available in PowerShell only
  • 30. What changed in SharePoint 2010 FBA users are Claims Identities Claims identity is created instead of ASP.Net Generic identity STS calls membership provider to validate user and issues a claims token Roles are converted to claims Mixed mode environments All principals are available in all zones Utilizing Claims to authorize access
  • 31. Outgoing Claims - Services
  • 32. Services Scenarios Show user’s PayStub in LOB data without credentials (intranet) Show real-time order status from supplier inside the enterprise Portal (extranet or internet) Securely deploy SharePoint farm(s) for user identity delegation
  • 33. Interoperating w/ Services Web Front End Windows Identity Claims Identity Sign-In Web part, etc. SharePoint STS SAML/OAuth 1 Windows Identity Framework 2 Client Proxy {Token} 3 WS-*/SAML 4 Trust Claims Token SAML App Server {Claims Principal} SharePoint STS Windows Identity Framework 5 Service Authorization Kerberos C/D SharePoint Service 6 C2WTS* Credentials Legacy LOB Secure Store Service *C2WTS = Claims to Windows Token Service
  • 34. Simple External List LOB Application SharePoint SP STS Web Service Trust 4 3 5 2 External List LOB Data Source BCS 1 6 7
  • 35. X-Boundary Services LOB Application SharePoint Enterprise STS SP STS Enterprise STS Trust 2 Web Service 3 LOB Data Source 5 BCS Internet External List 1 4 6 7
  • 36. Forms Based Authentication Exposed through Claims Mode Implemented as a Claims Provider Upgrade Inplace – ACLS updated, web.config not DBAttach – ACLs updated, no need to update config Provider Neutral e.g. SQL, LDAP etc
  • 37. What changed in FBA FBA users are exposed through Claims Claims identity is created instead of generic identity STS talks to membership provider to validate user and issues a claims token ValidateUser() must be implemented by membership providers Roles are converted to claims Mixed mode environments
  • 38. SharePoint Server installation Setup will remain the same Windows Classic auth will be enabled by default: This means that auth won’t be part of setup UI In admin pages the user will be able to modify settings of claims auth and/or add more sign-in methods In upgrade scenario we won’t switch to claims auth by default
  • 39. Configure / Upgrade FBA sites Setup FBA-Claims (improved flow) Create authentication provider Create or configure existing web app to use that authentication provider Add membership / role provider entries to Central admin web.config Web app web.config STS web.config Upgrade FBA web applications User must update web.config(s) Set the web app/zone to FBA-Claims to trigger user migration
  • 40. Why 3 web.config locations? Central admin Needs the references of all providers to enable picking of principals from any provider STS web.config (Security Token Service app) Needs the references of all providers in order to Authenticate user Get roles of user (which are converted to claims) FBA Web application web.config Needs “system claims membership provider” Automatically configured OOB during install Customer defined membership / role provider To enable picking of FBA users & roles
  • 41. Web.config example <Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider">  <providers>  <add name="membership" type="LdapMembershipProvider,…                server="redmond.corp.microsoft.com"               port="389"               …/>   </providers>  </membership>  <roleManager enabled="true" defaultProvider=“MyRoleProv" >    <providers>   <add name="roleManager“ type="LdapRoleProvider, …              server="redmond.corp.microsoft.com"               …    </providers>  </roleManager>
  • 42. Upgrade FBA: Powershell sample >$ap = New-SPAuthenticationProvider -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager" >$wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount“domainppool"-Url http://servername -Port 80 -AuthenticationProvider $ap *Note The ApplicationPoolAccount needs to be a managed account on the farm Modify the Web.config files (Central Admin, Security Token Service, Forms Web App)
  • 43. Benefits Support existing Identity infrastructure Active Directory LDAP, SQL Federation Gateways WebSSO and Identity Management systems Enable automatic, secure identity delegation Support “no-credential” connections to External web services Consistent API to develop SharePoint solutions
  • 44. Resources A Guide to Claims-Based Identity and Access Control — Book Download (http://www.microsoft.com/downloads/details.aspx?FamilyID=4c09ffe4-43dd-4fcc-be35-c897c9bc4386&displaylang=en) Walkthrough: Writing a Claims Provider (http://msdn.microsoft.com/en-us/library/ff699494.aspx) Share-n-dipity(Steve Peschka’s Blog) (http://blogs.technet.com/b/speschka/)
  • 45. Key Takeaways NEW way of Identity in SharePoint Built on Standards for interoperability Office Client support for non-Windows Auth
  • 46. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.