sharepoint security fundamentals introduction to claims-based security configuring claims-based...
TRANSCRIPT
Outline
SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities
Security 101
Authentication and IdentityAuthentication creates identity for security principalIdentities stored in user accounts repositoryAuthentication performed using credentialsAuthentication produces some form of badge
Authorization and Access ControlSubsystem used to define security policyPrivileged users configure ACLs on objectsSubsystem enforces policy at run time
SharePoint 2007 Authentication
SharePoint relies on external componentsWindows Authentication via Windows Server and IISFBA via ASP.NET and authentication provider Web SSO via Active Directory Federation Services (ADFS)
SharePoint creates profile for external identity
Tracked per site collection in User Profile ListSeen by developers as SPUser object
SHAREPOINT\System Account
WSS V2 has issues with AppPool Identity
WSS V3 introduced SHAREPOINT\system
Hides IIS Application Pool Identity from usersRuns as God within WSS authorization systemRemoves need to treat Application Pool Identity as site user
Web Server
WSS Identity vs. Windows Identity
It’s important to understand the difference
Pages, Lists & Documents
SharePoint content
AdventureWorks Database
SQL ServerXML File
local file system
Web Application Worker Process
Authorized using Windows Identity
Authorized using SharePoint Identity
Elevation of Privledges
Code typically runs under identity of user
Authorization works as expected in SharePointSometime code must do things current user cannot do
Custom code elevate privilegeAdvantage: elevated code can do anythingDisadvantage: elevated code can do anything
SPSite and Elevated Privileges
Accessing sites with WSS object is tricky
Must create new SPSite object after elevating
Securable Objects
Each site collection is a hierarchyEach object may have its own ACLObject without ACL relies on parentTop-level site is top-level object in hierarchy
Securable Objects OM
SPUser represents external security principalSPGroup is internal SharePoint group
Rights
Role Definition
AuthZ
SP Group SP User
Role Assignment
1 N
N
N
N
1
N
N
N N
SP UserResource
Outline
SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities
SharePoint 2010 Security
SharePoint 2010 radically changes authentication
WSS moves to claim-based security modelSharePoint 12 style now considered legacy mode
Why?It decouples WSS from authentication providerSupports multiple authentication providers for one URLIdentity can be passed without Kerberos delegationIt enables federation between organizationsACLs configured with DLs, Audiences and OrgsPeoplePicker controls understands claims
Claim-based Terminology
Identity: security principal used to configure security policyClaim: attribute of an identity (Login Name, AD Group, etc)Issuer: trusted party that creates claimsSecurity Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML)Issuing Authority: issues security tokens knowing claims desired by target applicationSecurity Token Service (STS): builds, signs and issues security tokensRelying Party: application that makes authorization decisions based on claims
Claims in SharePoint 2010
Two important scenariosIncoming claimsOutgoing claims
How do incoming claims work?Identity token created by external identity STSSharePoint STS creates claim-based identitySharePoint STS based on Claims ProviderIncoming claim identity is mapped to SPUserAuthorization of SPUser just like it is in SharePoint 2007
Outgoing Claims
What identity is used for code on WFE?
By default, code has claims-based identityLegacy mode can be used for Windows identity
What are the scenarios?WFE code calls to application servicesWFE code calls to external LOB systemsWFE code calls to external SharePoint farms
Outline
SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities
Outline
SharePoint Security FundamentalsIntroduction to Claims-based SecurityConfiguring Claims-based SecurityDevelopment Opportunities
Securable Objects OM
Rights
Role Definition
AuthZ
SP Group SP User
Role Assignment
1 N
N
N
N
1
N
N
N N
SP UserResource
Principals Assi
gn
Windows User
FBA User
Live ID
Contoso User (Federated user)
AD Security Group
DLAudiences
OrgApp claims
Roles
Claims
Development Opportunities
Same as in SharePoint 2007Write code that creates groupsWrite code that assigns permissions
New to SharePoint 2010Create a custom claims-providerCreate an identity transformation service with Geneva Server