From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 .


40 views
Uploaded on:
Category: Art / Culture
Description
Who Am I?. Who am I???Who am I ??????????. The Guardian of Lost Souls. The Powerful. The Pleasurable. The Indestructible. Rick Taylor. Smooth Rick
Transcripts
Slide 1

Required Slide SESSION CODE: OSP311 From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 Rick Taylor Senior Technical Architect Perficient, Inc.

Slide 2

Who Am I? Who am I??? Who am I ?????????? The Guardian of Lost Souls Rick Taylor The Powerful Slick Rick – in case you\'re terrible The Pleasurable The Indestructible

Slide 3

Introduction Former Engineer with Platform Architecture Group in SharePoint Online Contributing writer on Microsoft Office SharePoint Server 2007 Administrator\'s Guide Connect w/Rick on Facebook LinkedIn Twitter Spaces TechNet

Slide 4

Agenda Overview of Identities and Claims What is Claims-based Identity? A preliminary Problem Spaces and Examples Why is it imperative? What does it accomplish for me? Why do I require it? Redesign Scenarios Support Statements

Slide 5

Terminology Claim An affirmation Username Email Address Date of Birth Security Token Service (STS) An administration that acknowledges demands and issues security tokens that contain claims Identity Provider (IDP) A guarantor of a token Relying Party (RP) An application that utilizations (Claims Aware)

Slide 6

Claims Primer What is Identity? Set of credits to depict a client, for example, name, email, age, assemble enrollment, and so forth. Crosses the system as a variety of bytes – alluded to as a token In a Claims-based situation, the variety of bytes convey Claims What is a Claim? Some expert that cases to have the quality and its esteem

Slide 7

What is a Token? Guarantee = Email Address CLAIM = D.O.B CLAIM = Role TOKEN CLAIM = Given Name

Slide 8

Claims convey snippets of data about the client Token Name Age Location

Slide 9

Issuer Tokens are issued by Security Token Service (STS) programming Identity suppliers can incorporate Directory Services, Windows Live Id, and so on

Slide 10

Claims Primer - proceeded What is the contrast between a "claim" and a "characteristic?" Both Facebook & eHarmony have the age property Facebook claims that I am 45 , while eHarmony claims I am 29. Approval choices may rely on upon the age characteristic, your application needs to choose which "assert" you will trust . Trust relies on upon situation not on specialized ability

Slide 11

Benefits Applications can figure out which Claims are required and which suppliers to trust Provides various confirmation situations on a solitary, one of a kind namespace, i.e. http://sharepoint.contoso.com Enable programmed and secure personality assignment inside SharePoint Seamless coordination with outside frameworks, i.e. Web Service calls

Slide 12

Problem Space Sign-in Retrieving characters, i.e. who are they Services Passing characters crosswise over limits, i.e. machines, Line of Business applications, and so on

Slide 13

Sign-in Scenarios Sign-into SharePoint with both Windows and LDAP index Identity Easily arrange Intranet and Extranet clients for Collaboration Integrate with other client character frameworks (eg. ADFS, and so on.) Use Office Applications with non-Windows Authentication

Slide 14

Normalizing Identities Classic Claims NT Token Windows Identity NT Token Windows Identity SAML1.1+ ADFS, and so on. ASP.Net (FBA) SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

Slide 15

Sign-in Process

Slide 16

End User Experience Classic Mode

Slide 17

End User Experience Claims Mode

Slide 18

Forms-based Authentication in SharePoint Server 2010 Rick Taylor Senior Technical Architect Perficient demo… well… sorta ..however not by any stretch of the imagination

Slide 19

Step 1

Slide 20

Step 2

Slide 21

Sign in page

Slide 22

Step 4

Slide 23

Needs Claims ID

Slide 24

Configuring Relying Party Trust

Slide 25

Getting Token Issuer Name

Slide 26

Validation utilizing Claims Viewer Web Part

Slide 27

Claim Providers Augmentation of Claims Used to include application particular cases SharePoint will approve over these cases Search and Resolve Claims Provides an approach to identify and select cases SharePoint will introduce the cases in the User Experience

Slide 28

Office Applications Office Client applications now bolster non-Integrated Windows Authentication Office 2007 with Service Pack 2 on Windows XP with Internet Explorer 8 Windows Vista with Service Pack 2 or alternatively with Internet Explorer 8 Windows 7 Office 2010 on Windows XP with Internet Explorer 8 Windows Vista with Service Pack 2 or alternatively with Internet Explorer 8 Windows 7

Slide 29

Mixed Mode and Multi-mode Authentication

Slide 30

Changes to Forms-based Authentication Forms-based Authentication clients get to be Claims Identities Claims characters are made instead of ASP.Net Generic personalities Secure Token Service calls the participation supplier to approve client and issues a Claims token ValidateUser() must be actualized by enrollment suppliers Roles are changed over to Claims and caught in the SAML token

Slide 31

Services Scenarios Surface extra data about a man or protest without test (Intranet-particular situation) Surface stock data through an Enterprise entrance (Extranet or Intranet-particular situation) Deploy secure SharePoint situations for client personality assignment

Slide 32

Simple Web Part Process Scenario

Slide 33

Cross Boundary Services Process Scenario

Slide 34

Real World Concept

Slide 37

Code Snippet for Claims Viewer Web part utilizing System; utilizing System.Web.UI; utilizing System.Web.UI.WebControls; utilizing System.Web.UI.WebControls.WebParts; utilizing Microsoft.IdentityModel.Claims; namespace ClaimsViewerTest.VisualWebPart1 {     public incomplete class VisualWebPart1UserControl : UserControl     {         protected void Page_Load(object sender, EventArgs e)         {             IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;             IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;             GridView1.DataSource = claimsIdentity.Claims;             Page.DataBind();         }     } }

Slide 38

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 ("c :\[ name_of_cert ]. cer ") $map1 = New-SPClaimTypeMapping http ://schemas.xmlsoap.org/ws/2005/05/personality/claims/emailaddress - IncomingClaimTypeDisplayName "EmailAddress" - SameAsIncoming $realm = "urn:" + $env:ComputerName + ":adfs" $signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/" $ap = New-SPTrustedIdentityTokenIssuer - Name "ADFS20Server" - Description "ADFS 2.0 Federated Server" - Realm $ domain - ImportTrustCertificate $ cert - ClaimsMappings $ map1 - SignInUrl $ signinurl - IdentifierClaim $ map1.InputClaimType

Slide 40

Upgrade Scenarios Integrated Windows won\'t require modify Forms-based Authentication and WebSSO situations will require Claims transformation

Slide 41

Upgrade issues When you overhaul from MOSS to SharePoint 2010: Error: "Shapes Based Authentication on exemplary Web application has been censured." Fix: Step 1 $w = Get-SPWebApplication "http://webappurl/" $ w.UseClaimsAuthentication = $true; $ w.Update () $ w.ProvisionGlobally ()

Slide 42

Upgrade Issues - Continued Step 2 Remove the <clear/> component from the Membership and Role supplier areas in the web.config of the { SharePoint Root }\ WebServices \Root (Only happens in redesign, not spotless)

Slide 43

Upgrade Issues - Continued Naming Convention Change aspnetsqlmembershipprovider:username IS NOW i:0#. f|aspnetsqlmembershipprovider|username Use PowerShell to change the names of the considerable number of clients

Slide 44

Upgrade Issues Any custom applications, web parts or utilities that utilized the SSO benefit in 2007 may require a modify or redesign to the code to mirror these progressions to the Secure Store Service Microsoft.Office.SecureStoreService.Server get together found here: C:\Program Files (x86)\ MSECache \oserver2010\Global\Search\osrchwfe.cab

Slide 45

Other "Gotchas" Receive Error – "Base of Certificate Chain is Not Trusted Root Authority " Must fare the ADFS Token Signing Certificate Must include the ADFS Token Signing Certificate Root Authority to List of Root Authorities in SharePoint

Slide 46

Recommendations and tradeoffs for validation strategies

Slide 47

Recommendations and tradeoffs for verification techniques

Slide 48

Recommendations and tradeoffs for confirmation strategies

Slide 49

Supported Authentication Modes

Slide 50

Standards WS-Federation 1.1 WS-Trust 1.4 SAML Token 1.1

Slide 51

Summary SharePoint 2010 gives better approaches to consider personality Forms-based Authentication has changed from Office SharePoint Server 2007 Office customer support is accessible to non-Windows situations

Slide 52

Additional Resources Participate Twitter > # SPIdentity Download SharePoint Server 2010 Beta Recommended Reading Read more on Claims-based Authentication in the SharePoint Server 2010 IT Professional Evaluation Guide Read the article Plan Authentication Methods (SharePoint Server 2010) on TechNet Read the article Configure Forms-based Authentication for a Claims-construct Web Application in light of TechNet (This article likewise gives some great overhaul material.) Read the article Configure the Security Token Service on TechNet Read about SharePoint and Claims-construct Identity with respect to MSDN Download and read A Guide to Claims-Based Identity and Access Control Download and read Claims-Based Identity for Windows

Slide 53

Even MORE Resources! Perused Setting up a lab situation with ADFS on TechNet Go to the ADFS Resource Center on TechNet

Slide 54

Required Slide Track PMs will supply the substance for this slide, which will be embedded amid the last clean. Track Resources For More Information – http://sharepoint.micros

Recommended
View more...