security design with claims- based authentication israel vega, nathan miller osp431
Post on 04-Jan-2016
218 Views
Preview:
TRANSCRIPT
Security Design with Claims-Based Authentication Israel Vega, Nathan Miller
OSP431
Session Objectives and Takeaways
Session Objective(s): Quick review of claims based authentication with SharePoint and AzureDiscuss common claims based security scenarios
AssumptionsYou understand claims, SAML and authentication protocolsYou have set up claims based authentication with SharePointYou understand ADFS and General Identity FederationBonus – You have built a SharePoint CCP
Agenda and Demos
Quick level-set of SharePoint claims and federationCommon Scenario
Demo: Authenticate AD Users via ADFS - ADFS/AD CCPMigrate from classic to claims
Code: Migrate a web application from classic to claimsFun with claims
Demo: Temporary File Sharing - TempShare CCPDemo: Profile Claims - Profile Claims CCP
Along the Way
General CCP and Planning GuidanceGeneral Tips and Tricks
SharePointFederation Gateway
OutIn
Securing with Claims & Getting Claimed
Transformation
Augmentation
OUTMapped Claims
INIncomin
g Claims
Augmentation
SP Security
ClaimType = Value
ClaimType = Value
Getting ClaimedSecuring with
Claims
Must Answer Questions for Planning
1. How will users be authenticated?2. How will users be authorized?3. Who will manage user accounts and provisioning?4. Is the ID enough for AuthZ or do I need more
information?5. Are multiple ID’s per user allowed?6. Do I really need a CCP and if so, which features?7. Do I really need a custom STS?
Fundamental Principles of SharePoint and Claims
If you don’t have it at authentication time, you can’t use it for authorizationKnow the difference between incoming claims vs. mapped claimsUser identity is determined by authentication method (by default)Public federation is not the same and private federationSP claim security rules are evaluated as “OR” not “AND”
Key Point: Federation relationships are based on trust
Trusted Identity Token Issuer
Claims Provider
What is a SharePoint Trusted Identity Token Issuer?
Claims Mappings
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://.../upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://.../nameidentifier" -IncomingClaimTypeDisplayName “NameId" –MappedClaimType “http://.../username”…$spTIp = New-SPTrustedIdentityTokenIssuer -Name “NAME" -Description “DESC" -Realm “REALM” -ClaimsMappings $map1 …"
Login
Claims Provider
What Do I Get With a Custom Claim Provider (CCP)?
Trusted Identity Token Issuer
Claims Mappings
Login
Claims Search
Claims Resolve
Claims Augmentation
SP Identity
People Picker
How Does it Fit Together?
Trusted Identity Token Issuer
Claim Providers
Encoded ClaimEncoded Claims
Custom CCP
OOTB Active Directory
SharePoint (*)
Incoming Mapped Claims
Associating a CCP to a Zone$webAppUrl = ""$webAppZone= ""$claimProviderName = ""
write-host "Getting the web application urls to configure"$altUrls = Get-SPAlternateURLwrite-host "Getting the claim provider"$claimProvider = Get-SPClaimProvider -Identity $claimProviderName
foreach($altUrl in $altUrls){ if ($altUrl.Zone -eq $webAppZone) {
$wa = Get-SPWebApplication $altUrl.PublicUrlwrite-host "Registering claim provider [$claimProviderName] for ["$webAppUrl"] on the zone
["$webAppZone"]"$waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone)$waIISSettings.ClaimsProviders.Add($claimProvider)$wa.Update()
}} Stored as a collection with the
other SP Web App Settings for the Zone
A Bit About Claims Encoding
Farm SpecificCustom claim type encoding starts at Unicode 500Immutable List - once mapped, cannot un-mapValues are evaluated in lower case
Claim Encodings
DisplayName MappedClaimType Encoded String
Authentication method
http://.../authenticationmethod c:0ǹ.t|testadfs|authentication method
E-Mail Address http://schemas.xmlsoap.org/.../emailaddress
c:05.t|testadfs|e-mail address
Primary SID http://schemas.microsoft.com.../primarysid
c:0).t|testadfs|primary sid
Windows account name
http://.../windowsaccountname c:0ǻ.t|testadfs|windows account name
ASCII Decimal Code 504
ASCII Decimal Code 507
Reserved Claim Type
Reserved Claim Type
Reserved Claim Types and Identifiers'!' = SPClaimTypes.IdentityProvider '0' =
ClaimTypes.AuthorizationDecision '[' = ClaimTypes.PostalCode
'"' = SPClaimTypes.UserIdentifier '1' = ClaimTypes.Country '\\' = ClaimTypes.PPID'#' = SPClaimTypes.UserLogonName '2' = ClaimTypes.DateOfBirth ']' = ClaimTypes.Rsa'$' = SPClaimTypes.DistributionListClaimType '3' = ClaimTypes.DenyOnlySid '^' = ClaimTypes.Sid'%' = SPClaimTypes.FarmId '4' = ClaimTypes.Dns '_' = ClaimTypes.Spn
'&' ="http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitysid" '5' = ClaimTypes.Email '`' = ClaimTypes.StateOrProvince
'\'' ="http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitylogonname" '6' = ClaimTypes.Gender 'a' = ClaimTypes.StreetAddress
'(' = SPClaimTypes.IsAuthenticated '7' = ClaimTypes.GivenName 'b' = ClaimTypes.Surname
')' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" '8' = ClaimTypes.Hash 'c' = ClaimTypes.System
'*' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" '9' = ClaimTypes.HomePhone 'd' = ClaimTypes.Thumbprint
'+' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" '<' = ClaimTypes.Locality 'e' = ClaimTypes.Upn
'-' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" '=' = ClaimTypes.MobilePhone 'f' = ClaimTypes.Uri
'.' = ClaimTypes.Anonymous '>' = ClaimTypes.Name 'g' = ClaimTypes.Webpage
'/' = ClaimTypes.Authentication '?' = ClaimTypes.NameIdentifier 'h' =SPClaimTypes.ProviderUserKey
'@' = ClaimTypes.OtherPhone
The Scenario - ADFS AD Claim Provider
Use Active Directory to maintain user accounts but use ADFS to authenticateNeed to search and resolve users just like native SharePointMust work across forestsNeed to integrate with external partners using public and private federationNeed to block access to external users for certain data
Trusted Provider CCP Search CCP Resolve CCP Augmentation
Recipe – ADFS AD Claim Provider
1 Custom Claim Provider1 Secure Store2 Active Directories
2 SharePoint Sites1 ADFS
Internal
AD
External AD
Secure Store
ADFSTrusted Provider
Claim Provide
r
SharePoint
Secret Data
Super Secret Data
People Picker
Demo
Nephophobia (cloud fear, cloud phobia, fear of clouds, phobia of clouds)
ADFS/AD Claim Provider
The Scenario – Claims Migration
Existing SP 2007 or 2010 site is classic or FBAMoving to SAML with a custom CCP
From/To Classic Windows Claims
FBA SAML Claims
Classic Windows Claims
FBA SAML Claims
= Requires IMigrateUserCallBack
Today’s talk
Today’s talk
Today’s talk
Code Snippets
The penguin is the only bird who can swim, but cannot fly
Claims Migration Scenarios
Migrating from Classic to Windows Claims$webAppUrl = "http://yourWebAppUrl"
$adminAccount = “DOMAIN\ADMIN"
#Get the Web application$webApp = get-SPWebApplication $ webAppUrl Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default
#Re-Get the Web application$webApp = get-SPWebApplication $webAppUrl $adminClaim = New-SPClaimsPrincipal -identity $account -identitytype 1$adminClaimString = $adminClaim.ToEncodedString()
#Add the admin account to the web application policy$zp = $ webApp.ZonePolicies("Default") $p = $zp.Add($adminClaimString,“Admin Policy") $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") $p.PolicyRoleBindings.Add($fc) $wa.Update()
#Re-Get the Web application$webApp = get-SPWebApplication $webAppUrl
#Migrate the web application$wa.MigrateUsers($true)
Create an admin claim for myself
Let me in after the migration
Do the migration
Recipe –Custom Claims Migration
1 Custom Claim Provider(If SAML)1 Custom Class: IMigrateUserCallBack
2 SharePoint Web Apps1 Classic Content DBTime and Patience
Migrated
Content DB
Classic Web AppPermanent Web
App
Classic Content
DB1) Copy DB 4) Copy Migrated DB
2) Mount to “DUMMY” Web App
3) Migrate withIMigrateUserCallba
ck
Temporary Web App
Classic Content
DB
5) Mount to “REAL” Web App
Migrating from Classic to SAML Claims…See other slide - OMMITTED
#Migrate the web application#Pass the Fully qualified Assembly reference$wa.MigrateUsers(IMigrateUsersCallBackAssembly)
Do the migration but pass the assembly reference
Migrating User Accounts Using IMigrateUserCallBackUsing …
using Microsoft.SharePoint.Administration.Claims;
public class SAMLMigrationCallback : IMigrateUserCallback{
public string ConvertFromOldUser(string previousUserAccount, SPWebApplication.AuthenticationMethod previousAuthType, bool isGroup){ string newUserId = previousUserAccount; SPClaim migratedUserClaim = null; switch (previousAuthType) { case SPWebApplication.AuthenticationMethod.Windows: { migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup); break; } case SPWebApplication.AuthenticationMethod.Claims: { migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup); break; } case SPWebApplication.AuthenticationMethod.Forms: { //code for converting from Forms would be here break; } }if (migratedUserClaim != null) { newUserId = migratedUserClaim.ToEncodedString(); }
return newUserId ;}
}
SPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; return migratedClaim;}
SPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; //migrating from Windows claims to SAML claims return migratedClaim;}
Called for each User Account being migratedHelper
Functions
Migrating From Classic to SAML ClaimsSPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; SecurityIdentifier curSid = new SecurityIdentifier(previousUserAccount); //Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330 if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) || curSid.IsWellKnown(WellKnownSidType.LocalSystemSid)) { return migratedClaim; } else { if (isGroup) { string oldNtId = translateSidToName(previousUserAccount); if (oldNtId != null) { //Migrate Groups migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount); } } else { migratedClaim = generateUserIdClaimFromNtId(oldNtId); } } return migratedClaim;}
DO NOT MIGRATE NT AUTHORITY\Authenticated Users or LOCAL SYSTEM
Group SIDS vs Names ??
Migrating From Windows Claims to SAMLSPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; //Migrating from Windows claims to SAML claims - create a claim from the identifier so we can see if the original issuer came from Windows SPClaim idClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim);
//this is a Windows claims user, and we are going to convert to a SAML claims user ID format if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer)) { //windows claims users will be in the format domain\user windows claims groups will be in the SID format if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName)) { migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim); } else if (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid)) { //Group SID or Group Name??? migratedClaim = generateSAMLGroupClaim(idClaim.Value, SourceAccountType.WindowsClaim); } }
return migratedClaim;}
SPClaim generateSAMLClaimFromNtId(string winClaimId){ SPClaim migratedClaim = null; //Create the proper SAML ID Claim for the old windows claim user return migratedClaim;}
SPClaim generateSAMLGroupClaim(string groupClaim, bool isGroup){ SPClaim migratedClaim = null; //Create the proper SAML ID Group claim for the old windows claim group return migratedClaim;}
Helper Functions
Migration Notes
Imigrate userSome accounts should not migrated
Local system
Some accounts should be migrated to anonymousMust reconfigure the super user and search post migration
Logon as PortalSuperUser and PortalSuperReader at least once
Configuring the Publishing Cache Accounts
For Windows and SAML Claims, this must be configured for publishing sitesSet portalsuperuseraccount and portalsuperreaderaccount web application propertiesAlso configure the web app policy
Setting the Portal Super * Accounts$PortalSuperReader = “domain\portalsuperreader" $PortalSuperUser = “domain\portalsuperuser“
$wa = Get-SPWebApplication –Identity “<<web app URL>>“
$PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityType WindowsSamAccountName$PortalSuperUserClaim.ToEncodedString()
$wa.Properties["portalsuperuseraccount"] = $PortalSuperUserClaim.ToEncodedString()
$PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityType WindowsSamAccountName
$PortalSuperReaderClaim.ToEncodedString()$wa.Properties["portalsuperreaderaccount"] = $PortalSuperReaderClaim.ToEncodedString()
#Set the web application policies$SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), "PortalSuperReader")$SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullRead")) $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), "PortalSuperUser")$SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullControl"))
#Update the web app$wa.Update()
#IISResetiisreset
Encoded Windows Claim (User Logon
Name)
Web Application Policy
Fun with Claims
Reindeers like to eat bananas
The value of Claims Based AuthN and AuthZ
The Scenario – Profile Claims
Wanted to make the user experience to add mapped claims easyRe-Use attributes about a user for securing content in SharePointDid not want to make adding a new claim a code deployment
Trusted Provider CCP Search CCP Resolve CCP Augmentation
Recipe – Profile Claims
1 Custom Claim Provider1 Profile Service
1 Profile Database1 SharePoint Site
It is possible to lead a cow upstairs but not upstairs
Profile Claim Provider
The Scenario – Temporary Sharing of Files with Federated Users
Share documents with external users regardless of authentication User May not have a user account in SharePointNeeded to provide secure access for a defined time periodSelf-Managing of user access
Trusted Provider CCP Search CCP Resolve CCP Augmentation
Architecture
PayPal
Sharing Token Claim
Expired
Recipe - Temporary Sharing of Files with Public Federation
1 Custom Claim Provider1 Custom Claim Generator1 Custom Database
2 SharePoint Sites2 Custom Web Parts1 Custom Ribbon Extension
Best With:• External ad-hoc collaboration with Partners or contractors• Public Federation with Trusted Users
Demo
The sentence "The quick brown fox jumps over a lazy dog." uses every letter of the alphabet!
TempShare Claim Provider
Building Custom Claim Providers - Hints
Good for providing search and resolve of identity informationHeads up
All claim providers fire several timesClaims are immutable (cannot change once issued)Incoming claims are not available at authentication time OOTB *
* http://blogs.technet.com/b/speschka/archive/2011/03/29/how-to-get-all-user-claims-at-claims-augmentation-time-in-sharepoint-2010.aspx
Building Custom Claim Providers – More Hints
Claims ProvidersEncoding, casing“Welcome email” support
Identity resolutionResponsible / not responsible
DebuggingDeployment
App Roles vs. Web Application vs. Central AdminCreate 2 separate WSP’s, Enable AutoActivateInCentralAdmin
In Review: Session Objectives and Takeaways
SharePoint, claims and federation (Recap)Fun with Claims
Demo – ADFS/AD Claims ProviderCode – Migration from classic to SAMLDemo – Profile Claims ProviderDemo – TempShare Claims Provider
General Tips and Tricks for Claims
Related Content
SIA204 | Cloudy Weather: How Secure Is the Cloud?SIA208 | Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAGSIA318 | Managing and Extending Active Directory Federation ServicesSIA403 | Troubleshooting Federation, ADFS, and MoreAZR78-HOL | Introduction to Access Control Service
SIA01-TLC | Microsoft Identity and Access
Find us later at: SharePoint TLC BoothAsk the Experts
Links
http://blogs.msdn.com/entdev - Demo code
http://blogs.technet.com/b/speschka/ - SharePoint CBA Resources
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
top related