claim based authentication in sharepoint 2010 for community day 2011
TRANSCRIPT
![Page 1: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/1.jpg)
Claim Based Authentication in SharePoint 2010
A Developers Perspective
Joris PoelmansBIWUG
@jopxtwitshttp://jopx.blogspot.com
![Page 2: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/2.jpg)
About Me• ECM Unit Manager @ RealDolmen• SharePoint Server MVP• Blog – http://jopx.blogspot.com• Twitter – @jopxtwits • Co-founder BIWUG – www.biwug.be• Co-author
– Real World SharePoint 2010 (November 2010, Wrox)– Real World SharePoint 2007 (August 2007, Wrox)– SharePoint 2007, The definitive guide (September 2007, O’Reilly)
![Page 3: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/3.jpg)
http://www.buildwindows.com/
Register today and save $500 before August 1st
Save the date: watch live stream, join local events by MSDN Belux
Win a ticket today at Communiday Day!• Take a picture wearing the BUILD t-shirt.• Tweet or blog the picture, link to
www.buildwindows.com, use tag #bldwin• Wear the t-shirt and be there for the closing prize
draw
![Page 4: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/4.jpg)
Agenda
• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with Claims• Trusted Identity Providers
![Page 5: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/5.jpg)
Identity vs Claims
• Identity– Set of attributes to describe a user
• Claim– Information such as name, e-mail address,
group membership, etc.• User identity as a set of claims
![Page 6: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/6.jpg)
Claims
• Claims carry pieces of information about the user
Claim
Claim
Claim
Claim
Signature
Name
Age
Location
Token
![Page 7: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/7.jpg)
Claim-based Terminology• Authentication: act of establishing or confirming something• Authorization: function of specifying access rights to resources• Claim: statement about an identity (attribute: Login Name, AD Group, etc)• Identity: security principal (end user)• Identity Provider (IP): provides authentication for identities, confirms that claims in a token are valid and
issues tokens. Can be accessed through a STS.• Issuer: trusted party that creates claims• Issuing Authority: issues security tokens knowing claims desired by target application• Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or
SAML)• Security Token Service (STS): builds, signs and issues security tokens carrying claims that describe the caller• Relying Party (RP): application that makes authorization decisions based on claims• Relying Party STS (RP-STS): transforms existing claims and adds new claims to a token• Windows Identity Foundation (aka Geneva): framework for building claims-based applications and services
and for implementing federated security scenarios• ADFS 2.0 (aka Geneva Server): Enterprise Identity Provider that exposes a Security Token Service
![Page 8: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/8.jpg)
Underlying standards
• WS-Federation 1.1– Provides the architecture for a clean separation
between trust mechanisms, security tokens formats and the protocols for obtaining tokens
• WS-Trust 1.4– How to request and receive security tokens
• SAML Token 1.1– XML vocabulary used to represent claims in an
interoperable way
![Page 9: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/9.jpg)
Why the move to claims?• It decouples SharePoint from authentication
provider• Applications can decide which Claims are
required and which Identity Provider to trust• Supports multiple authentication providers
for one URL• Identity can be passed without Kerberos
delegation• It enables federation between organizations
![Page 10: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/10.jpg)
Agenda
• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
![Page 11: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/11.jpg)
demoCLAIMS VIEWER WEBPARTMULTI-AUTH WEB APPLICATIONS
![Page 12: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/12.jpg)
Multi-auth web applications
![Page 13: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/13.jpg)
Claims Viewer Web Part
![Page 14: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/14.jpg)
Claims Viewer WebPart
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
![Page 15: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/15.jpg)
Encoded IdExample: i:0#.w|contoso\wbaer
– i = Identity Claim all other claims will use “c” as opposed to “i”– : = Colon– 0 = Reserved to support future Claims– #/? = Claim Type Encoded Value. The out of the box claim types will have a hardcoded
encoded value, this will enable parity across farms.– E.g. Key: ? Value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier– Key: # Value:
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname – ./0 = Claim Value Type. The out of the box claim value types will have a hardcoded
encoded value, this will enable parity across farms.– E.g. Key: . Value: urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name– Key: 0 Value: http://www.w3.org/2001/XMLSchema#string – w/m/r/t/p/s = Original Issuer Type -> w = windows, m = membership, r = role, t = trusted
STS, p = personal card, s= local sts claim
![Page 16: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/16.jpg)
Claims in SharePoint 2010Normalizing Identities
NT TokenWindows Identity
ASP.Net (FBA)SAL, LDAP, Custom …
SAML TokenClaims Based Identity
SPUser
NT TokenWindows Identity
SAML1.1+ADFS, etc.
Classic Claims
![Page 17: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/17.jpg)
Claims in SharePoint 2010• Two important scenarios– Incoming claims– Outgoing claims
• How do incoming claims work?– Identity token created by external identity STS– SharePoint STS creates claim-based identity– SharePoint STS based on Claims Provider– Incoming claim identity is mapped to SPUser– Authorization of SPUser just like it is in SharePoint 2007
![Page 18: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/18.jpg)
![Page 19: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/19.jpg)
Office Applications• Office Client applications now support non-Integrated
Windows Authentication• Office 2007 with Service Pack 2 on
– Windows XP with Internet Explorer 8– Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7
• Office 2010 on– Windows XP with Internet Explorer 8– Windows Vista with SP2 or optionally with Internet Explorer 8 – Windows 7
![Page 20: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/20.jpg)
Claim Based Authorization
• Use the claims enabled people picker to assign authorizations
• Access claims via the IClaimsIdentity interface
• Conditionally Display information –based on presence of claim–based on value of claim
![Page 21: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/21.jpg)
demoSELECT CLAIMS IN PEOPLE PICKERCONDITIONALLY DISPLAY INFORMATION
![Page 22: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/22.jpg)
Conditionally display informationIClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity =
(IClaimsIdentity)claimsPrincipal.Identity;
string pmClaim = (from c in claimsIdentity.Claims where c.ClaimType == CLAIM_TYPE select c.Value).FirstOrDefault();
bool authorized = bool.Parse(pmClaim);
![Page 23: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/23.jpg)
Outgoing Claims• What identity is used for code on WFE?– By default, code has claims-based identity– Legacy mode can be used for Windows identity
• What are the scenarios?–WFE code calls to application services–WFE code calls to external LOB systems–WFE code calls to external SharePoint farms
![Page 24: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/24.jpg)
Outgoing Claims
![Page 25: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/25.jpg)
Accessing non-Claims Aware Systems• SQL Server 2008/2008 R2–Denali is claims aware
• Claims to Windows Token Service (C2WTS)–Converts Claims back to a Windows
Identity
SQL Server
SP STS
SharePoint LOB Application
C2WTS
Web App Service App
![Page 26: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/26.jpg)
C2WTS
• Install on Server hosting the STS Service Application (Part of WIF)
• Local Service by default (also default disabled)– Dependent on Crypto Service (must start first
– check out KB2512597)• Read
Configure Kerberos Authentication for the C2WTS (SharePoint Server 2010) whitepaper
![Page 27: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/27.jpg)
Agenda
• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
![Page 28: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/28.jpg)
Configure / Upgrade FBA sites• Setup FBA-Claims –Create authentication provider–Create or configure existing web app to use the
authentication provider–Add membership / role provider entries to
different web configs• Upgrade FBA web applications–User must update web.config(s)– Set the web app/zone to FBA-Claims to trigger
user migration
![Page 29: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/29.jpg)
Why 3 web.config locations?
• Central admin– Needs the references of all providers to enable picking of
principals from any provider
• STS web.config (Security Token Service app)– Needs the references of all providers in order to
• Authenticate user• Get roles of user (which are converted to claims)
• FBA Web application web.config– Needs “system claims membership provider”
• Automatically configured OOB during install
– Customer defined membership / role provider• To enable picking of FBA users & roles
![Page 30: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/30.jpg)
Web.config example<Configuration> <system.web> <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="LdapMembershipProvider,… server="redmond.corp.microsoft.com" port="389" …/> </providers> </membership> <roleManager enabled="true" defaultProvider=“MyRoleProv" > <providers> <add name="roleManager“ type="LdapRoleProvider, … server="redmond.corp.microsoft.com" … </providers> </roleManager>
![Page 31: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/31.jpg)
Upgrade FBA: Powershell sample• $ap = New-SPAuthenticationProvider -ASPNETMembershipProvider
"membership" -ASPNETRoleProviderName "rolemanager"
• $wa = New-SPWebApplication -Name “My Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount “domain\appool"-Url http://servername -Port 80 -AuthenticationProvider $ap
• *Note The ApplicationPoolAccount needs to be a managed account on the farm
• Modify the Web.config files (Central Admin, Security Token Service, Forms Web App)
![Page 32: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/32.jpg)
Agenda
• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
![Page 33: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/33.jpg)
Common CBA development task
• Creating claims provider• Claims providers have two roles– Augmentation
• Add additional claims into user token• SharePoint will authorize over these claims
– Picking and resolving claims • Provides listing, resolve, search and friendly display of claims
functionality in the people picker
![Page 34: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/34.jpg)
Developing custom claims providersClaims augmentation• Enables and application to augment additional claims into the user’s
token• Custom provider is implemented by inheriting
– Microsoft.SharePoint.Administration.Claims.SPClaimsProvider– Use FillClaimsForEntity method
• Deployment done by creating feature and feature receiver that derives from– Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiver
class
• MSDN Article by Steve Peschka– http://msdn.microsoft.com/en-us/library/ff699494.aspx
![Page 35: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/35.jpg)
Developing custom claims providersClaims picker• Provides Listing, Resolve, Search and Friendly display
of claims in the People Picker• Custom provider is implemented by inheriting– Microsoft.SharePoint.Administration.Claims.SPClaimsProvid
er– Use FillHierarchy, FillResolve, FillSearch method
• Deployment done by creating feature and feature receiver that derives from– Microsoft.SharePoint.Administration.Claims.SPClaimsProvid
erFeatureReceiver class
![Page 36: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/36.jpg)
demoAUGMENT CLAIMSRESOLVE CLAIMS IN PEOPLE PICKER
![Page 37: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/37.jpg)
FillClaimForEntity() method
• Parameters–Context (URI)–Current user (userid claim)– Empty list to contain new claims
• Called once per session– Token is passed as cookie once issued
![Page 38: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/38.jpg)
Entity Values
• Domain user–0#.w|domain\\user
• FBA user–0#.f|mbrshipprovidername|user
• Be sure to inspect entity when filling Claims
![Page 39: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/39.jpg)
SPClaimProvider.CreateClaim()• protected SPClaim CreateClaim(string claimType,string
value,string valueType)– claimType Type: String
The type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email.
– value Type: StringThe value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt.
– valueType Type: StringThe type of value in the claim. These are all URIs that refer to a string.
![Page 40: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/40.jpg)
ClaimValueTypes
Base64Binary
http://www.w3.org/2001/XMLSchema#base64Binary
Boolean http://www.w3.org/2001/XMLSchema#boolean
Date http://www.w3.org/2001/XMLSchema#date
Datetime http://www.w3.org/2001/XMLSchema#dateTime
DaytimeDuration
http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration
String http://www.w3.org/2001/XMLSchema#string
![Page 41: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/41.jpg)
Agenda
• Introduction to Claims• Claims in SharePoint 2010• Configuring Claims in SharePoint 2010• Development tasks with claims• Trusted Identity Providers
![Page 42: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/42.jpg)
Trusted Identity Providers
• Active Directory Federation Services (ADFS 2.0)– Enables identity across organizational
boundaries–http://www.microsoft.com/adfs2
• Windows Live Id–http://technet.microsoft.com/en-us/
library/ff973117.aspx
![Page 43: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/43.jpg)
Trusted Identity Providers (Ctd)
• OpenID–Must be “Translated” into SAML Claims• WIF code• Pioneering work
– http://blogs.southworks.net/mwoloski/2009/07/14/openid-ws-fed-protocol-transition-sts/ (Matias Woloski)
– https://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=34 (Travis Nielsen)
–Many OpenID Providers• http://openid.net/get-an-openid/
![Page 44: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/44.jpg)
Summary
• Claims are the way forward for authentication
• Claims enable new scenario’s for authentication and authorization
![Page 45: Claim Based Authentication in SharePoint 2010 for Community Day 2011](https://reader035.vdocuments.us/reader035/viewer/2022070316/5558755ad8b42aaa7e8b53c5/html5/thumbnails/45.jpg)
Additional Resources• Recommended Reading
– Read more on Claims-based Authentication in the SharePoint Server 2010 IT Professional Evaluation Guide
– Plan Authentication Methods (SharePoint Server 2010) on TechNet– Read the article
Configure Forms-based Authentication for a Claims-based Web Application on TechNet (This article also provides some good upgrade material.)
– Configure the Security Token Service on TechNet– SharePoint and Claims-based Identity on MSDN– A Guide to Claims-Based Identity and Access Control– Claims-Based Identity for Windows– Claims to Windows Token Service Overview (MSDN)