sharepoint 2010, claims-based identity, facebook, and the cloud
TRANSCRIPT
![Page 1: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/1.jpg)
SharePoint 2010,Claims-Based Identity, Facebook, and the Cloud
Danny JesseeSharePoint User Group of Washington, DC – February 9, 2012
![Page 2: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/2.jpg)
Who Am I?
Senior software engineer – Corbin Company
8 years SharePoint development experience
MCPD: SharePoint Developer 2010 MCTS: SharePoint 2010 Configuration
Email: [email protected] Twitter: @dannyjessee Blog: http://dannyjessee.com/blog
![Page 3: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/3.jpg)
Agenda
Features of a Secure Application SharePoint 2010 Authentication Options Claims Terminology/Technology Overview Demos
New SharePoint 2010 Web Application Azure AppFabric ACS Trusted Identity Provider
– Facebook Further integration of Facebook with
SharePoint via the Facebook C# SDK (now deprecated)
![Page 4: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/4.jpg)
Features of aSecure Application
Authentication is the process of validating a user’s identity SharePoint never performs
authentication If the login prompt keeps appearing,
think authentication issue! Unless it’s the dreaded
loopback check!
![Page 5: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/5.jpg)
Features of aSecure Application
Authorization is the process of determining the resources, features, etc. to which a user has access
If you see “Access Denied” errors, think authorization issue!
![Page 6: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/6.jpg)
Authentication Options in SharePoint 2010
The single biggest decision of your life!
TechNet guidance: “For new implementations of SharePoint
Server 2010, you should consider claims-based authentication.”
![Page 7: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/7.jpg)
Authentication Options in SharePoint 2010
Claims Based Authentication (Tokens) Windows Authentication: NTLM/Kerberos, Basic Forms-Based Authentication (ASP.NET
Membership provider and Role manager) Trusted Identity providers Custom sign-in page
Classic Mode Authentication (“Old School”) Windows Authentication (NTLM/Kerberos) only
Both map authenticated users to SPUser objects (security principals)
![Page 8: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/8.jpg)
Claims-Based IdentityConcepts
What is a claim? A piece of information describing a user▪ Name▪ Email Address▪ Role/Group membership▪ Age▪ Hire Date
Whose claims do I trust, and which claims affect authorization decisions I make?
![Page 9: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/9.jpg)
Claims-Based IdentityTerminology
Token Serialized set of claims about an authenticated
user, digitally signed by the token’s issuer Identity Provider-Security Token Service (IP-
STS) Validates user credentials Builds, signs, and issues tokens containing claims
Relying party (RP) Applications that makes authorization decisions
based on claims (SharePoint 2010)
![Page 10: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/10.jpg)
The Claims Paradigm
Decoupling of authentication logic from authorization and personalization logic Applications no longer need to determine who
the user is, they receive claims identifying the user
Great for developers who rarely want to work with identity!
Provides a common way for applications to acquire the identity information they need about users
![Page 11: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/11.jpg)
The Claims Paradigm
1. “I’d like to access the budget document.”
2. “Not until you can prove to me that you are in the Finance group.”
3. “Here is my user ID and password.”
4. “Hi, Danny. I see you are in the Finance group. Here is a token you can use.”
5. “I’d like to access the budget document,and here’s proof I have access to it!”
SharePoint 2010
![Page 12: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/12.jpg)
Claims-Based IdentityTechnologies
WS-Trust, WS-Federation, SAML Requesting/receiving tokens XML representation of claims
These emerging technologies have been around for awhile Their use in Claims-Based Identity represents a
new approach for handling identity in applications Great potential in corporate environments▪ Active Directory Federation Services, external LDAP, etc.
Great potential as we move to the cloud▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
![Page 13: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/13.jpg)
Almost Demo Time!
![Page 14: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/14.jpg)
Claims Viewer Web Part
Visual Web Part Code behind:
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;Page.DataBind();
![Page 15: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/15.jpg)
FBA in SharePoint 2010
Similar to FBA setup for MOSS, with some exceptions: Authentication provider does not need to
be mapped to a separate zone One additional Web.config to modify:▪ C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\14\WebServices\SecurityToken▪ Add entries for connection string,
Membership provider, Role manager▪ Same modifications for Central Admin and
web app
![Page 16: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/16.jpg)
Sign-In Page
Allows users to choose how to authenticate when multiple providers are configured(Mixed Authentication)
Custom code opportunity http://
www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx
![Page 17: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/17.jpg)
New SharePoint 2010 Web Application with Claims/FBADemo #1
![Page 18: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/18.jpg)
Windows Azure AppFabricAccess Control Services (ACS)
![Page 19: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/19.jpg)
Azure AppFabric ACS
Cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications
Includes support for Windows Live ID, Google, Yahoo, and Facebook
Includes support for Active Directory Federation Services (AD FS) 2.0
Simple browser-based management portal
$1.99/100k transactions (free until Nov. 30!)
![Page 20: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/20.jpg)
Adding Facebook Support Three things must be done to add support
for Facebook login to SharePoint:1. Create a Facebook application
https://developers.facebook.com/apps2. Configure ACS for Facebook support
Permissions you will request from Facebook users
Relying Party application and Rule Group setup3. Configure ACS as a Trusted Identity
Provider in SharePoint
![Page 21: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/21.jpg)
Create a Facebook ApplicationDemo #2
![Page 22: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/22.jpg)
Create Facebook Application
Click “Create New App” Provide Display Name and
Namespace
Note App ID and App Secret values Provide Website URL to ACS
![Page 23: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/23.jpg)
Configure Azure AppFabric ACS for FacebookDemo #3
![Page 24: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/24.jpg)
Configure ACS IP
From the ACS management portal, add a new Identity Provider
![Page 25: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/25.jpg)
Configure ACS IP
Enter App ID and App Secret values from Facebook application you created earlier
Enter a comma-delimited list of Application Permissions you want to request https://developers.facebook.com/docs/referenc
e/api/permissions/
In our demo, we will request: email,user_location,user_hometown,user_website,user_work_history,publish_stream,user_birthday,friends_birthday
![Page 26: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/26.jpg)
Configure ACS IP
Permissions you request will be displayed to the end user the first time they log in
Request the minimum subset of permissions you will need Users are more likely to reject bigger requests
![Page 27: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/27.jpg)
Configure ACS Rule Group Generate Rule Group
Named set of claim rules that define which identity claims are passed from identity providers to your relying party application
SharePoint will still need to be configured to make use of these claims
![Page 28: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/28.jpg)
Configure ACS RP
Configure Relying Party application Provide Name, Realm, and Return
URL Return URL: Realm + /_trust
![Page 29: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/29.jpg)
Configure ACS RP
Choose SAML 1.1 token format Update Token lifetime to >600
seconds
Select Identity providers and Rule groups
![Page 30: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/30.jpg)
Configure ACS RP
Generate self-signed certificate C:\Program Files\Microsoft Office Servers\
14.0\Tools>MakeCert.exe -r -pe -n "CN=dannyjessee.accesscontrol.windows.net"
-sky exchange -ss my Self-signed, exportable, subject key type
“exchange,” store in my personal certificate store
Development only! Please use a legitimate certificate in production!
![Page 31: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/31.jpg)
Configure ACS RP
Upload this certificate (.pfx format) as the Token Signing Certificate in ACS
![Page 32: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/32.jpg)
Configure ACS as a SharePoint Trusted Identity ProviderDemo #4
![Page 33: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/33.jpg)
Configuring ACS TIP
New-SPTrustedRootAuthority Name, Certificate (self-signed .cer made
earlier)New-SPClaimTypeMapping
IncomingClaimType IncomingClaimTypeDisplayName LocalClaimType (or SameAsIncoming)
New-SPTrustedIdentityTokenIssuer Name, Realm, ImportTrustCertificate ClaimsMappings, SignInUrl, IdentifierClaim
![Page 34: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/34.jpg)
Configuring ACS TIP
Running this PowerShell script will add “Azure ACS v2” to the list of Trusted Identity Providers
Eligible to be added to Claims-based web applications in Central Administration
![Page 35: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/35.jpg)
Logging in with FacebookDemo #5
![Page 36: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/36.jpg)
Claims Mappings Visualized
All claims whose OriginalIssuer isTrustedProvider:Azure ACS v2
AccessToken is the key to all user data
![Page 37: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/37.jpg)
Facebook C# SDK
https://github.com/facebook/csharp-sdk Encapsulates calls to the Facebook Graph API
https://developers.facebook.com/docs/reference/api/
Retrieve data about the user and his/her friends Upload photos/videos, post status messages Data returned from Facebook in JSON format Requests to https://graph.facebook.com/...▪ me/feed, me/friends, me/photos, me/videos
Deprecated, no longer supported
![Page 38: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/38.jpg)
Configuring Trust
SharePoint maintains its own certificate store where separate trusts must be configured
http://dannyjessee.com/blog/index.php/2011/12/required-trust-relationships-for-the-facebook-c-sdk-in-sharepoint-2010/
Need to upload two certificates into SharePoint (CA > Security > Manage Trust): DigiCert High Assurance EV Root CA DigiCert High Assurance CA-3
![Page 39: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/39.jpg)
Cool Custom Code!Demo #6
![Page 40: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/40.jpg)
A Note About Code Snippets
Code snippets in these slides are not complete Do not include proper error
checking/handling Do not include
RunWithElevatedPrivileges() delegates where appropriate
Please download the code Do not copy and paste from these slides I will Tweet the link and update this slide
deck to include it
![Page 41: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/41.jpg)
Access Token
Returned in a claim from Facebook A new AccessToken is issued each login Our key to all of the data about the logged in user Required for all calls to the Facebook Graph API
Two hour lifetime by default To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag web.AllProperties[“fbAccessToken_{loginname}”] AllProperties required for case sensitivity
![Page 42: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/42.jpg)
Update Display Name
Changing to Initial display name for the SPUser is in
Claims-encoded format (more on this later) Want to make this more user-friendly
if (SPContext.Current.Web.CurrentUser == null){ SPUser user = web.EnsureUser("i:" + claimsIdentity.Name); currentUser.Name = givenName; currentUser.Update();}
![Page 43: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/43.jpg)
Weather Web Part
var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");JsonObject location = me["location"] as JsonObject;myLocation = (string)location["name"];
myLocation is in City, State format Parsed and sent to Weather
Underground API http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/[city].json
![Page 44: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/44.jpg)
Contact List Updater
var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");SPList lstContacts = web.Lists["Contacts"];SPListItem item = lstContacts.Items.Add();item["First Name"] = (string)me["first_name"];item["Last Name"] = (string)me["last_name"];JsonArray work = me["work"] as JsonArray;// Most recent/current employer stored in work[0]JsonObject company = work[0] as JsonObject;JsonObject employer = company["employer"] as JsonObject;JsonObject position = company["position"] as JsonObject;item["Company"] = (string)employer["name"];item["Job Title"] = (string)position["name"];item.SystemUpdate();
![Page 45: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/45.jpg)
Friends’ Birthdays Calendarvar client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>) client.Get("me/friends?fields=name,birthday");JsonArray friendData = me["data"] as JsonArray;foreach (JsonObject friend in friendData){ if (friend.ContainsKey("birthday")) { /* Some users share MM/DD of birthday, others share
MM/DD/YYYY We only care about MM/DD for our purposes, and Facebook always pads with leading zeros */ string birthday = (string)friend["birthday"]; birthMonth = int.Parse(birthday.Substring(0, 2)); birthDate = int.Parse(birthday.Substring(3, 2)); ...
![Page 46: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/46.jpg)
Friends’ Birthdays CalendarSPList lstCalendar = web.Lists["Calendar"];SPListItem birthdayItem = lstCalendar.Items.Add();birthdayItem["Title"] = name + (name.EndsWith("s") ? "' birthday" : "'s birthday");birthdayItem["EventDate"] = dtBirthday;birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;birthdayItem[SPBuiltInFieldId.EventType] = 1;birthdayItem[SPBuiltInFieldId.fRecurrence] = true;birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;string recurrence = "<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +"<repeat><yearly yearFrequency='1' month='" + birthMonth.ToString() + "' day='" + birthDate.ToString() + "' /></repeat>" +"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";birthdayItem["RecurrenceData"] = recurrence;birthdayItem.SystemUpdate();
![Page 47: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/47.jpg)
Post a Status Update
var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string, object>();dict.Add("message", "I just posted this from SharePoint!");dict.Add("link", "http://sugdc.org/");dict.Add("picture", "http://sugdc.org/Portals/0/sugdcTitle4.jpg");dict.Add("name", "SUGDC Home Page");dict.Add("caption", "February 9, 2012");dict.Add("description", "Come see my presentation about Claims-Based Identity in SharePoint 2010 at SUGDC!");client.PostAsync("me/feed", dict);
![Page 48: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/48.jpg)
Post a Video
var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string, object> { { "title", "I know how to post videos to Facebook...from SharePoint!" }, { "description", "See more at SUGDC Feb. 9, 2012!" }, { "vid1", new FacebookMediaObject { ContentType = "video/x-flv", FileName = "facebook.flv" }.SetValue(File.ReadAllBytes(@"C:\facebook.flv")) }};client.PostAsync("me/videos", dict);
![Page 49: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/49.jpg)
Silverlight Webcam Photo
Silverlight application courtesy MossLover
Interfaces with the user’s webcam, saves captured images to document library
![Page 50: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/50.jpg)
Silverlight Webcam Photo
Added event handler to upload to Facebook
string contentType = "image/jpeg";var client = new Facebook.FacebookClient(fbAccessToken);Dictionary<string, object> dict = new Dictionary<string, object> { { "message", "Uploaded picture from Silverlight webcam image capture in SharePoint!" }, { "pic1", new FacebookMediaObject { ContentType = contentType, FileName = properties.ListItem.File.Name }.SetValue(properties.ListItem.File.OpenBinary()) }};client.PostAsync("me/photos", dict);
![Page 51: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/51.jpg)
Thanks for your time!
![Page 52: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/52.jpg)
Backup Slides
![Page 53: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/53.jpg)
Claims “Gotchas”
![Page 54: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/54.jpg)
Claims “Gotchas”
General issues for all Claims implementations Search crawler requires NTLM in the zone it uses “People picker” is more of a Claims “expression
editor”▪ Custom code opportunity
User Profiles▪ LDAP or BCS connection to authentication store
Office client integration (2007 SP2+, 2010)▪ IE 8+: Trusted Sites
No document previews with FAST Search
![Page 55: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/55.jpg)
Real-Life Testimonial
“After migrating to Claims in SharePoint 2010, most of our users were able to log in some of the time.”
—A less-than-thrilled system administrator
![Page 56: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/56.jpg)
Claims “Gotchas”
Migration from MOSS to SharePoint 2010 Migrate FBA Users▪ $wa = get-SPWebApplication $WebAppName▪ $wa.MigrateUsers($true)
Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format▪ $wa.Properties["portalsuperuseraccount"] = "i:0#.w|domain\
apppool"▪ $wa.Properties["portalsuperreaderaccount"] = "i:0#.w|
domain\apppool"▪ $wa.Update()
Must migrate all providers from MOSS to 2010▪ i.e., NTLM and FBA if both existed prior to migration
![Page 57: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/57.jpg)
Claims Behaving Badly
“Funky” display of usernames i:0#.w|SHRPNT\Administrator i:0#.f|CustomMembershipProvider|
username i:0#.t|selfsts|[email protected]▪ i: Microsoft.SharePoint.Administration.Claims.
SPClaimsAuthMembershipProvider (Web.config)▪ windows, forms, trusted Identity Provider
![Page 58: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/58.jpg)
Claims Behaving Badly
Set DisplayName property of SPUser $user = Get-SPUser -Web
http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"
$user.DisplayName = "John Doe" $user.Update()
Can also be done via SharePoint object model
![Page 59: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/59.jpg)
Claims Behaving Badly
Session expiration issues with SAML Claims Users can come back to the page hours
later without having to log in again SharePoint creates a FedAuth cookie
(written to disk) that is not a Session cookie by default▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.UseSessionCookies = $true▪ $sts.Update()
![Page 60: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/60.jpg)
Claims Behaving Badly
Continuous redirection to/from login page This can happen when the TokenLifetime is
less than the LogonTokenCacheExpirationWindow▪ Default LogonTokenCacheExpirationWindow in
SharePoint 2010 STS is 10 minutes▪ Default Token Lifetime in Azure ACS is also 10
minutes▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 1)▪ $sts.Update()
![Page 61: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/61.jpg)
Claims Behaving Badly
Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once) Check the ULS logs!▪ Could be token expiration timeout▪ Could be something else
![Page 62: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/62.jpg)
Claims Behaving Badly
SPSecurityTokenService.Issue() failed:System.Runtime.InteropServices.COMException (0x800703FA): Retrieving theCOM class factory for component with CLSID{BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA. GPEdit: Computer Configuration >
Administrative Templates > System > User Profiles▪ Do not forcefully unload the users registry at user
logoff > Set to “Enabled”
![Page 63: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/63.jpg)
Claims Recommendations
![Page 64: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/64.jpg)
Claims Recommendations
Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment Particularly if strict security controls are
in place that are beyond your control Especially if you are only migrating from
Windows authentication in MOSS Once you go to Claims, you can’t go
back!
![Page 65: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/65.jpg)
Claims Recommendations
If you must use Claims for your Extranet,try to minimize the number of zones/host headers used Default zone should be most secure
Have a good “troubleshooter’s toolbox” ULS Log Viewer Fiddler Claims Viewer web part
![Page 66: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/66.jpg)
References & Credits
![Page 67: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/67.jpg)
References & Credits
Shane Young – my hero! http://sharepoint911.com
Plan Authentication Methods(SharePoint Server 2010) http://
technet.microsoft.com/en-us/library/cc262350.aspx
A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices) http://claimsid.codeplex.com/
![Page 68: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/68.jpg)
References & Credits (cont.)
Writing Claims Providers for SharePoint 2010 http://
msdn.microsoft.com/en-us/library/ff699494.aspx
Implementing Claims-Based Authentication with SharePoint Server 2010 http://
www.microsoft.com/download/en/details.aspx?id=27569
![Page 69: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/69.jpg)
References & Credits (cont.)
Transparent Login with Mixed Authentication http://
www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx
C# Facebook SDK http://facebooksdk.codeplex.com
Azure ACS and Facebook http://
msdn.microsoft.com/en-us/library/gg185967.aspx
![Page 70: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/70.jpg)
References & Credits (cont.)
Steve Peschka http://
blogs.technet.com/b/speschka/archive/2010/06/12/migrating-a-web-application-from-windows-classic-to-windows-claims-in-sharepoint-2010.aspx
http://msdn.microsoft.com/en-us/library/hh147183.aspx
Project Server Blog (GREAT tips for migrating to Claims here!!!) http://nearbaseline.com.au/blog/tag/clai
ms/
![Page 71: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/71.jpg)
References & Credits (cont.)
SelfSTS and Vittorio Bertocci http://
archive.msdn.microsoft.com/SelfSTS http://
blogs.msdn.com/b/vbertocci/archive/2010/08/23/selfsts-when-you-need-a-saml-token-now-right-now.aspx
Paul Schaeflein http://
www.schaeflein.net/blog/Lists/Posts/Post.aspx?ID=4
![Page 72: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/72.jpg)
References & Credits (cont.)
Claims Viewer web part http://blogs.pointbridge.com/Blogs/nielse
n_travis/Pages/Post.aspx?_ID=32
Fiddler http://www.fiddler2.com/fiddler2/
SharePoint ULS Log Viewers http://sharepointlogviewer.codeplex.com
/ http://ulsviewer.codeplex.com/
![Page 73: SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud](https://reader036.vdocuments.us/reader036/viewer/2022070318/55758532d8b42ae7708b458c/html5/thumbnails/73.jpg)
References & Credits (cont.)
Azure ACS Integration http://
blogs.objectsharp.com/cs/blogs/steve/archive/2011/04/21/windows-azure-access-control-services-federation-with-facebook.aspx
http://www.7388.info/index.php/article/studio/2011-07-29/20983.html
Robert Bogue http://www.sharepointshepherd.com