From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 - PowerPoint PPT Presentation

from n to z authentication and authorization in microsoft sharepoint server 2010 l.
Skip this Video
Loading SlideShow in 5 Seconds..
From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 PowerPoint Presentation
From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010

play fullscreen
1 / 65
Download Presentation
Download Presentation

From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010

Presentation Transcript

  1. Required Slide SESSION CODE: OSP311 From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 Rick Taylor Senior Technical Architect Perficient, Inc.

  2. Who Am I? • Who am I??? • Who am I ?????????? The Guardian of Lost Souls Rick Taylor The Powerful Slick Rick – if you’re nasty The Pleasurable The Indestructible

  3. Introduction • Former Engineer with Platform Architecture Group in SharePoint Online • Contributing author on Microsoft Office SharePoint Server 2007 Administrator’s Guide • Connect w/ Rick on • Facebook • LinkedIn • Twitter • Spaces • TechNet

  4. Agenda • Overview of Identities and Claims • What is Claims-based Identity? • A primer • Problem Spaces and Examples • Why is it important? • What does it do for me? • Why do I need it? • Upgrade Scenarios • Support Statements

  5. Terminology • Claim • An assertion • Username • Email Address • Date of Birth • Security Token Service (STS) • A service that accepts requests and issues security tokens that contain claims • Identity Provider (IDP) • An issuer of a token • Relying Party (RP) • An application that uses Claims (Claims Aware)

  6. Claims Primer • What is Identity? • Set of attributes to describe a user such as name, e-mail, age, group membership, etc. • Traverses the network as an array of bytes – referred to as a token • In a Claims-based scenario, the array of bytes carry Claims • What is a Claim? • Some authority that claims to have the attribute and its value

  7. What is a Token? CLAIM = Email Address CLAIM = D.O.B CLAIM = Role TOKEN CLAIM = Given Name

  8. Claims • Claims carry pieces of information about the user Token Name Age Location

  9. Issuer • Tokens are issued by Security Token Service (STS) software • Identity providers can include Directory Services, Windows Live Id, etc.

  10. Claims Primer - continued • What is the difference between a “claim” and an “attribute?” • Both Facebook & eHarmony have the age attribute • Facebook claims that I am 45, while eHarmony claims I am 29. • Authorization decisions may depend on the age attribute, your app needs to decide which “claim” you will trust. • Trust depends on scenario not on technical capability

  11. Benefits • Applications can determine which Claims are required and which providers to trust • Provides multiple authentication scenarios on a single, unique namespace, i.e. • Enable automatic and secure identity delegation within SharePoint • Seamless integration with external systems, i.e. Web Service calls

  12. Problem Space • Sign-in • Retrieving identities, i.e. who are they • Services • Passing identities across boundaries, i.e. machines, Line of Business applications, etc.

  13. Sign-in Scenarios • Sign-in to SharePoint with both Windows and LDAP directory Identity • Easily configure Intranet and Extranet users for Collaboration • Integrate with other customer identity systems (eg. ADFS, etc.) • Use Office Applications with non-Windows Authentication

  14. Normalizing Identities Classic Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, etc. ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

  15. Sign-in Process

  16. End User Experience Classic Mode

  17. End User Experience Claims Mode

  18. Forms-based Authentication in SharePoint Server 2010 Rick Taylor Senior Technical Architect Perficient demo…well…sorta..but not really

  19. Step 1

  20. Step 2

  21. Sign in page

  22. Step 4

  23. Needs Claims ID

  24. Configuring Relying Party Trust

  25. Getting Token Issuer Name

  26. Validation using Claims Viewer Web Part

  27. Claim Providers • Augmentation of Claims • Used to add application specific claims • SharePoint will authorize over these claims • Search and Resolve Claims • Provides a way to enumerate and select claims • SharePoint will present the claims in the User Experience

  28. Office Applications • Office Client applications now support non-Integrated Windows Authentication • Office 2007 with Service Pack 2 on • Windows XP with Internet Explorer 8 • Windows Vista with Service Pack 2 or optionally with Internet Explorer 8 • Windows 7 • Office 2010 on • Windows XP with Internet Explorer 8 • Windows Vista with Service Pack 2 or optionally with Internet Explorer 8 • Windows 7

  29. Mixed Mode and Multi-mode Authentication

  30. Changes to Forms-based Authentication • Forms-based Authentication users become Claims Identities • Claims identities are created as opposed to ASP.Net Generic identities • Secure Token Service calls the membership provider to validate user and issues a Claims token • ValidateUser() must be implemented by membership providers • Roles are converted to Claims and captured in the SAML token

  31. Services Scenarios • Surface additional information about a person or object without challenge (Intranet-specific scenario) • Surface inventory information through an Enterprise portal (Extranet or Intranet-specific scenario) • Deploy secure SharePoint environments for user identity delegation

  32. Simple Web Part Process Scenario

  33. Cross Boundary Services Process Scenario

  34. Real World Concept

  35. Code Snippet for Claims Viewer Web part using System; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using Microsoft.IdentityModel.Claims; namespace ClaimsViewerTest.VisualWebPart1 {     public partial class VisualWebPart1UserControl : UserControl     {         protected void Page_Load(object sender, EventArgs e)         {             IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;             IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;             GridView1.DataSource = claimsIdentity.Claims;             Page.DataBind();         }     } }

  36. $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[name_of_cert].cer") $map1 = New-SPClaimTypeMapping -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming$realm = "urn:" + $env:ComputerName + ":adfs"$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

  37. Upgrade Scenarios • Integrated Windows will not require rework • Forms-based Authentication and WebSSO scenarios will need Claims conversion

  38. Upgrade issues • When you upgrade from MOSS to SharePoint 2010: • Error: • “Forms Based Authentication on classic Web application has been deprecated.” • Fix: • Step 1 $w = Get-SPWebApplication "http://webappurl/"$w.UseClaimsAuthentication = $true;$w.Update()$w.ProvisionGlobally()

  39. Upgrade Issues - Continued • Step 2 • Remove the <clear/> element from the Membership and Role provider sections in the web.config of the {SharePoint Root}\WebServices\Root • (Only occurs in upgrade, not clean)

  40. Upgrade Issues - Continued • Naming Convention Change • aspnetsqlmembershipprovider:username IS NOW • i:0#.f|aspnetsqlmembershipprovider|username • Use PowerShell to change the names of all the users

  41. Upgrade Issues • Any custom applications, web parts or utilities that used the SSO service in 2007 may require a rewrite or update to the code to reflect these changes to the Secure Store Service • Microsoft.Office.SecureStoreService.Serverassembly found here: C:\Program Files (x86)\MSECache\oserver2010\Global\Search\

  42. Other “Gotchas” Receive Error – “Root of Certificate Chain is Not Trusted Root Authority” • Must export the ADFS Token Signing Certificate • Must add the ADFS Token Signing Certificate Root Authority to List of Root Authorities in SharePoint

  43. Recommendations and tradeoffs for authentication methods

  44. Recommendations and tradeoffs for authentication methods

  45. Recommendations and tradeoffs for authentication methods

  46. Supported Authentication Modes

  47. Standards • WS-Federation 1.1 • WS-Trust 1.4 • SAML Token 1.1