1. SharePoint Access Control
Jonathan Schultz (@SharePointValue)
Skyline Technologies, Inc.
01/18/2012

2. About Skyline Technologies
• Leading Microsoft solutions provider
– Develops and tailors IT applications to meet the business and
technical objectives of customers
– Serves clients in the manufacturing and retail to healthcare,
transportation, and logistics industries
• Microsoft Partner with Gold competencies in Business Intelligence,
Content Management, Portals and Collaboration, and Web Development
and Silver competencies in Data Platform, Project and Portfolio
Management, Search, and Software Development.
• Provides a pathway to speed your company toward its vision.
• Recognized by businesses nationwide as a team of smart, experienced
people and a Microsoft Gold Certified Partner organization specializing in
adapting Microsoft solutions to individual client’s needs.

3. Agenda
• SharePoint Access Control
• What are Claims?
• Why would you use them?
• Claims-Based Authentication
• Reality of Claims Based Authentication
• Reference Materials

4. SharePoint Access Control
• Authentication vs. Authorization
– Authentication = Who are you?
– Authorization = What can you do?
• Information Rights Management
– Windows Server 2008 Active Directory Rights
Management Server
– CSS Print Suppression
• @media print { .NoPrint { display: none; } }

5. Security Environments
Loosely Managed Tightly Managed
• Distributed Accountability • Centralized Authority
• Low Risk Content • Auditing Requirements
• Flexible – Content
– Process

6. Groups
SharePoint Groups Active Directory Groups
• Distributed • Centralized
• SharePoint Only • Enterprise
• Auditing • Auditing
– 3rd Party Tools – Member Of

7. What are Claims?
• Attributes about a User
• Need to Come from Someone You Trust
• Driver’s License Example
– Trusted Provider = State of Wisconsin
– Claims
• Name = Jonathan Schultz
• Age = 35
• Organ Donor = No

8. UWEBC Claims Example
• Trusted Provider = Cavinda
• My Claims
– Name = Jonathan Schultz
– Company = Skyline Technologies
– Presenter = Yes

9. Why Use Claims?
• Claim Augmentation
– Security Groups from Active Directory
– HRMS/CRM Attributes
• Title/Role
• Federation
– Partner Network
• Business to Business
– Subsidiaries
– Web 2.0 (Windows Live, Facebook, etc.)
• Advanced Authentication & Authorization

10. Basic Claims Scenario

11. Claims Based Architecture

12. Terminology
• Security Token Service (STS)
– Identity Provider (IP-STS)
– Relying Party (RP-STS)
• Security Assertion Markup Language (SAML)
• Windows Identity Framework (formerly Geneva)
• Trusted Login Provider

13. Under the Covers

14. Claims-to-Windows Token Service

15. Claims Based Architecture Notes
• New in SharePoint 2010
• Authentication Prompt for Multiple Providers
• All Intra/Inter Farm Calls are Claims Based
– i.e. Service Applications
• Claims-to-Windows Token Service Needed for
Some Service Applications, i.e. PerformancePoint
Services

16. Claims Development Tasks
• Custom Login Pages
– Extranet Scenarios
– Branding
– “Remember Me” Capability
– Home Realm Discovery
• Custom Claim Providers
– Claims Augmentation
– Claims Picking / Resolution
• Trusted Login Providers
– WIF SDK

17. Reality of Claims Based Authentication
• Claims Authorization uses OR logic, not AND
– Scenario: Authorize US HR User
• Location Claim = US
• Department Claim = HR
• Will also succeed for US IT because of US OR HR
• Trusted Identity Providers
– Cookie Driven (Watch out for domains/paths)
– Time Based Expiration (Server Times)
• Claims + Kerberos + SSRS = Problem

18. Reference Materials
• Claims and Security Technical Articles for
SharePoint 2010
• Implementing Claims-Based Authentication with
SharePoint Server 2010 – White Paper
• A Guide to Claims-Based Identity and Access
Control – Patterns & Practices
• Custom Claims-Based Security in SharePoint
2010
• Steve Peschka’s Blog: Share-n-dipity