SharePoint Security and Claims-based Authorization

Outline

SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities

Security 101

Authentication and IdentityAuthentication creates identity for security principalIdentities stored in user accounts repositoryAuthentication performed using credentialsAuthentication produces some form of badge

Authorization and Access ControlSubsystem used to define security policyPrivileged users configure ACLs on objectsSubsystem enforces policy at run time

SharePoint 2007 Authentication

SharePoint relies on external componentsWindows Authentication via Windows Server and IISFBA via ASP.NET and authentication provider Web SSO via Active Directory Federation Services (ADFS)

SharePoint creates profile for external identity

Tracked per site collection in User Profile ListSeen by developers as SPUser object

SHAREPOINT\System Account

WSS V2 has issues with AppPool Identity

WSS V3 introduced SHAREPOINT\system

Hides IIS Application Pool Identity from usersRuns as God within WSS authorization systemRemoves need to treat Application Pool Identity as site user

Web Server

WSS Identity vs. Windows Identity

It’s important to understand the difference

Pages, Lists & Documents

SharePoint content

AdventureWorks Database

SQL ServerXML File

local file system

Web Application Worker Process

Authorized using Windows Identity

Authorized using SharePoint Identity

Elevation of Privledges

Code typically runs under identity of user

Authorization works as expected in SharePointSometime code must do things current user cannot do

Custom code elevate privilegeAdvantage: elevated code can do anythingDisadvantage: elevated code can do anything

SPSite and Elevated Privileges

Accessing sites with WSS object is tricky

Must create new SPSite object after elevating

Securable Objects

Each site collection is a hierarchyEach object may have its own ACLObject without ACL relies on parentTop-level site is top-level object in hierarchy

Securable Objects OM

SPUser represents external security principalSPGroup is internal SharePoint group

Rights

Role Definition

AuthZ

SP Group SP User

Role Assignment

1 N

N

N

N

1

N

N

N N

SP UserResource

Outline

SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities

SharePoint 2010 Security

SharePoint 2010 radically changes authentication

WSS moves to claim-based security modelSharePoint 12 style now considered legacy mode

Why?It decouples WSS from authentication providerSupports multiple authentication providers for one URLIdentity can be passed without Kerberos delegationIt enables federation between organizationsACLs configured with DLs, Audiences and OrgsPeoplePicker controls understands claims

Claim-based Terminology

Identity: security principal used to configure security policyClaim: attribute of an identity (Login Name, AD Group, etc)Issuer: trusted party that creates claimsSecurity Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML)Issuing Authority: issues security tokens knowing claims desired by target applicationSecurity Token Service (STS): builds, signs and issues security tokensRelying Party: application that makes authorization decisions based on claims

Active Client - Smart Client App

Claims-based Scenarios

Passive Client - Browser

Claims in SharePoint 2010

Two important scenariosIncoming claimsOutgoing claims

How do incoming claims work?Identity token created by external identity STSSharePoint STS creates claim-based identitySharePoint STS based on Claims ProviderIncoming claim identity is mapped to SPUserAuthorization of SPUser just like it is in SharePoint 2007

Outgoing Claims

What identity is used for code on WFE?

By default, code has claims-based identityLegacy mode can be used for Windows identity

What are the scenarios?WFE code calls to application servicesWFE code calls to external LOB systemsWFE code calls to external SharePoint farms

Outline

SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities

Admin UX (Configure AuthN)

Outline

SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities

Securable Objects OM

Rights

Role Definition

AuthZ

SP Group SP User

Role Assignment

1 N

N

N

N

1

N

N

N N

SP UserResource

Principals Assi

gn

Windows User

FBA User

Live ID

Contoso User (Federated user)

AD Security Group

DLAudiences

OrgApp claims

Roles

Claims

Development Opportunities

Same as in SharePoint 2007Write code that creates groupsWrite code that assigns permissions

New to SharePoint 2010Create a custom claims-providerCreate an identity transformation service with Geneva Server

Summary

SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities