claims-based identity in sharepoint 2010

All It “Claims” to Be?

A real-world perspective on Claims-Based Identity in SharePoint 2010

Danny JesseeSharePoint User Group of Washington, DC – August 11, 2011

Who Am I?

SharePoint Evangelist at Circinus Northern Virginia-based SDVOSB

Senior developer on SharePoint deployments for government and DoD customers since 2004 I get involved with administration when I have to…

MCTS – SharePoint 2010 Application Development

CloudShare Honorary MVP for 2011

Twitter: @dannyjessee Blog: http://dannyjessee.com/blog

Agenda

Features of a Secure Application SharePoint 2010 Authentication Options Claims Terminology/Technology Overview Demos

SharePoint 2010 Web Application with FBA Adding Azure ACS-based Trusted Identity Providers

“Gotchas” General issues for all Claims implementations Migration issues from MOSS to SharePoint 2010 Claims Behaving Badly

Recommendations

Features of aSecure Application

Authentication is the process of validating a user’s identity SharePoint never performs

authentication If the login prompt keeps appearing,

think authentication issue!

Features of aSecure Application

Authorization is the process of determining the resources, features, etc. to which a user has access SPUser object – security principal

If you see “Access Denied” errors, think authorization issue!

Authentication Options in SharePoint 2010

The single biggest decision of your life!

TechNet guidance: “For new implementations of SharePoint

Server 2010, you should consider claims-based authentication.”

Authentication Options in SharePoint 2010

Claims Based Authentication (Tokens) Windows Authentication: NTLM/Kerberos, Basic Forms-Based Authentication (ASP.NET

Membership provider and Role manager) Trusted Identity providers Custom sign-in page

Classic Mode Authentication (“Old School”) Windows Authentication (NTLM/Kerberos) only

Both map authenticated users to SPUser objects (security principals)

Claims-Based IdentityConcepts

What is a claim? A piece of information describing a user▪ Name▪ Email Address▪ Role/Group membership▪ Age▪ Hire Date

Whose claims do I trust, and which claims affect authorization decisions I make?

Claims-Based IdentityTerminology

Token Serialized set of claims about an authenticated

user, digitally signed by the token’s issuer Identity Provider-Security Token Service (IP-

STS) Validates user credentials Builds, signs, and issues tokens containing claims

Relying party (RP) Applications that makes authorization decisions

based on claims (SharePoint 2010)

The Claims Paradigm

Decoupling of authentication logic from authorization and personalization logic Applications no longer need to determine who

the user is, they receive claims identifying the user

Great for developers who rarely want to work with identity!

Provides a common way for applications to acquire the identity information they need about users

The Claims Paradigm

1. “I’d like to access the budget document.”

2. “Not until you can prove to me that you are in the Finance group.”

3. “Here is my user ID and password.”

4. “Hi, Danny. I see you are in the Finance group. Here is a token you can use.”

5. “I’d like to access the budget document,and here’s proof I have access to it!”

SharePoint 2010

Claims-Based IdentityTechnologies

WS-Trust, WS-Federation, SAML Requesting/receiving tokens XML representation of claims

These emerging technologies have been around for awhile Their use in Claims-Based Identity represents a

new approach for handling identity in applications Great potential in corporate environments▪ Active Directory Federation Services, external LDAP, etc.

Great potential as we move to the cloud▪ Azure ACS: Facebook, Google, Windows Live ID, etc.

Almost Demo Time!

Claims Viewer Web Part

Visual Web Part Code behind:

http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32

IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;Page.DataBind();

FBA in SharePoint 2010

Similar to FBA setup for MOSS, with some exceptions: Authentication provider does not need to

be mapped to a separate zone One additional Web.config to modify:▪ C:\Program Files\Common Files\Microsoft

Shared\Web Server Extensions\14\WebServices\SecurityToken▪ Add entries for connection string,

Membership provider, Role manager▪ Same modifications for Central Admin and

web app

Sign-In Page

Allows users to choose how to authenticate when multiple providers are configured(Mixed Authentication)

Custom code opportunity http://

www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx

New SharePoint 2010 Web Application with Claims/FBADemo #1

Adding Facebook Support http://www.7388.info/index.php/article/stu

dio/2011-07-29/20983.html Create an account on AppFabric Labs

https://portal.appfabriclabs.com/Default.aspx

Use the Facebook Developer application to create your own new application

Adding Facebook Support

Note the App ID and App Secret values

Assign a “Privacy Policy” URL Grant Permissions to generate

Access Token Choose “Web” in left navigation,

enter values for Site URL and Site Domain Based on your AppFabric Labs account

Adding Facebook Support

Generate self-signed certificate C:\Program Files\Microsoft Office Servers\

14.0\Tools>MakeCert.exe -r -pe -n "CN=com-dannyjessee.accesscontrol.appfabriclabs.com" -sky exchange -ss my

Development only! Do not do in production!

Adding Facebook Support

Upload Token Signing Certificate

Adding Facebook Support

From Azure ACS, choose Add Identity Provider, then choose Facebook application

Enter Application ID, Application secret, and Application permissions

Adding Facebook Support

Configure Relying Party Application settings

Adding Facebook Support

Configure Rule Groups

Adding Azure ACSTrusted Identity ProvidersDemo #2

Adding Facebook Support

In case the Internet didn’t work:

Adding Facebook Support

In case the Internet didn’t work:

Adding Facebook Support

In case the Internet didn’t work:

Claims “Gotchas”

Claims “Gotchas”

General issues for all Claims implementations Search crawler requires NTLM in the zone it

uses “People picker” is more of a Claims

“expression editor”▪ Custom code opportunity (Custom Claims Provider)

User Profiles▪ LDAP or BCS connection to authentication store

Office client integration (2007 SP2+, 2010)▪ IE 8+: Trusted Sites

Real-Life Testimonial

“After migrating to Claims in SharePoint 2010, most of our users were able to log in some of the time.”

—A less-than-thrilled system administrator

Claims “Gotchas”

Migration from MOSS to SharePoint 2010 Migrate FBA Users▪ $wa = get-SPWebApplication $WebAppName▪ $wa.MigrateUsers($true)

Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format▪ $wa.Properties["portalsuperuseraccount"] = "i:0#.w|domain\

apppool"▪ $wa.Properties["portalsuperreaderaccount"] = "i:0#.w|

domain\apppool"▪ $wa.Update()

Must migrate all providers from MOSS to 2010▪ i.e., NTLM and FBA if both existed prior to migration

Claims Behaving Badly

“Funky” display of usernames i:0#.w|SHRPNT\Administrator i:0#.f|CustomMembershipProvider|

username i:0#.t|selfsts|test@contoso.com▪ i: Microsoft.SharePoint.Administration.Claims.

SPClaimsAuthMembershipProvider (Web.config)▪ Windows, Forms, Trusted Identity Provider

Claims Behaving Badly

Set DisplayName property of SPUser $user = Get-SPUser -Web

http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"

$user.DisplayName = "John Doe" $user.Update()

Claims Behaving Badly

Session expiration issues with SAML Claims Users can come back to the page hours later

without having to log in again SharePoint creates a FedAuth cookie (written to

disk) that is not a Session cookie by default▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.UseSessionCookies = $true▪ $sts.Update()

Set/update TokenLifetime property (minutes)▪ Set-ADFSRelyingPartyTrust -TargetName "SPS 2010

ADFS" -TokenLifetime 5

Claims Behaving Badly

Continuous redirection to/from login page This can happen when the TokenLifetime

is less than the LogonTokenCacheExpirationWindow▪ Default LogonTokenCacheExpirationWindow

in SharePoint 2010 STS is 10 minutes▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.LogonTokenCacheExpirationWindow =

(New-TimeSpan -minutes 4)▪ $sts.Update()

Claims Behaving Badly

Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once) Check the ULS logs!▪ Could be token expiration timeout▪ Could be something else

Claims Behaving Badly

SPSecurityTokenService.Issue() failed:System.Runtime.InteropServices.COMException (0x800703FA): Retrieving theCOM class factory for component with CLSID{BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA. GPEdit: Computer Configuration >

Administrative Templates > System > User Profiles▪ Do not forcefully unload the users registry at user

logoff > Set to “Enabled”

Claims Recommendations

Claims Recommendations

Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment Particularly if strict security controls are

in place that are beyond your control Especially if you are only migrating from

Windows authentication in MOSS Once you go to Claims, you can’t go

back!

Claims Recommendations

If you must use Claims for your Extranet,try to minimize the number of zones/host headers used Default zone should be most secure

Have a good “troubleshooter’s toolbox” ULS Log Viewer Fiddler Claims Viewer web part

Thanks for your time!

See me perform at “SharePoint Got Talent”tomorrow night at 8:30!

References & Credits

Shane Young – my hero! http://sharepoint911.com

Plan Authentication Methods(SharePoint Server 2010) http://

technet.microsoft.com/en-us/library/cc262350.aspx

A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices) http://claimsid.codeplex.com/

References & Credits (cont.)

Steve Peschka http://

blogs.technet.com/b/speschka/archive/2010/06/12/migrating-a-web-application-from-windows-classic-to-windows-claims-in-sharepoint-2010.aspx

http://msdn.microsoft.com/en-us/library/hh147183.aspx

Project Server Blog (GREAT tips for migrating to Claims here!!!) http://nearbaseline.com.au/blog/tag/clai

ms/

References & Credits (cont.)

Azure ACS Integration http://

blogs.objectsharp.com/cs/blogs/steve/archive/2011/04/21/windows-azure-access-control-services-federation-with-facebook.aspx

http://www.7388.info/index.php/article/studio/2011-07-29/20983.html

Robert Bogue http://www.sharepointshepherd.com

References & Credits (cont.)

SelfSTS and Vittorio Bertocci http://

archive.msdn.microsoft.com/SelfSTS http://

blogs.msdn.com/b/vbertocci/archive/2010/08/23/selfsts-when-you-need-a-saml-token-now-right-now.aspx

Paul Schaeflein http://

www.schaeflein.net/blog/Lists/Posts/Post.aspx?ID=4

References & Credits (cont.)

Claims Viewer web part http://blogs.pointbridge.com/Blogs/nielse

n_travis/Pages/Post.aspx?_ID=32

Fiddler http://www.fiddler2.com/fiddler2/

SharePoint ULS Log Viewers http://sharepointlogviewer.codeplex.com

/ http://ulsviewer.codeplex.com/

References & Credits (cont.)

Transparent Login with Mixed Authentication http://

www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx