claims based authentication a beginners guide
DESCRIPTION
TRANSCRIPT
Claims Authentication
Claims Authentication
AGENDA
• What is Claims?• Claims in SharePoint• Configuring and Using Claims in SharePoint
My Trip
Check In Counter Boarding Gate
Terminology
• Identity: security principal (end user)• Authentication: act of establishing or confirming
something• Authorisation: function of specifying access
rights to resources• Claim: statement about an identity• Security Token: set of claims that are digitally
signed by an issuing authority• Security Token Service (STS): builds, signs and
issues security tokens• Identity Provider STS (IP-STS): authenticates and
issues tokens• Relying Party: application that makes
authorisation decisions based on claims• Relying Party STS (RP-STS): transforms existing
claims and adds new claims to a token
Claims at an Airport
Boarding Gate
Identity: security principal (end user)
Claims At An Airport
Boarding Gate
Relying Party: application that makes authorisation decisions based on claims
Claims At An Airport
Boarding Gate
Claim: statement about an identity“I am Thuan Le Cong”“My seat is 1c”
Claims At An Airport
Check In Counter Boarding Gate
Identity Provider STS (IP-STS): authenticates and issues tokens
Claims At An Airport
Check In Counter Boarding Gate
Security Token: set of claims that are digitally signed by an issuing authority
ClaimClaimClaimClaim
Signature
Name
Seat Number
Frequent Flyer
Toke
n
Claims at An Airport
Check In Counter Boarding Gate
Terminology
• Identity: security principal (end user)• Authentication: act of establishing or confirming
something• Authorisation: function of specifying access
rights to resources• Claim: statement about an identity• Security Token: set of claims that are digitally
signed by an issuing authority• Security Token Service (STS): builds, signs and
issues security tokens• Identity Provider STS (IP-STS): authenticates and
issues tokens• Relying Party: application that makes
authorisation decisions based on claims• Relying Party STS (RP-STS): transforms existing
claims and adds new claims to a token
Claims in SharePoint
Check In Counter Boarding GateSharePoint WFESecurity Token Service
Why Claims?
• Decouples SharePoint from Authentication
• Support for multiple authentication providers on one URL
• Enables federation
Web Application – Classic• Zone: Default
• Zone: Intranet
• Zone: Internet
• Zone: Extranet
• Zone: Custom
Zones
Windows
FBA
…
…
…
Web Application – Claims• Zone: Default
Windows
FBA
• Zone: Intranet
• Zone: Internet
• Zone: Extranet
• Zone: Custom
SAML
FBA
Windows
…
…
Authentication Model
• Two Authentication Modes– Classic (“Legacy”)– Claims
Authentication methods
• Windows Authentication: Uses the Windows infrastructure, providing support for NTML, Kerberos, Anonymous, Basic, and Digest authentication.
• Forms-Based Authentication (FBA) Utilizes a username and password HTML form that queries a membership provider in the back-end.
• SAML token-based Authentication Uses an external identity provider that supports SAML 1.1 and WS-Federation Passive profile.
Externalized Authentication
Claims-based Authentication
Browser Based Sign-IN
Browser Issuer Active DirectoryGet /
302AuthN
Post
SAML Token
Process TokenCookie
Cookie
Process Claims302
Identity Mapping
SPUser
SAML TokenClaims Based Identity
NT TokenWindows Identity
NT TokenWindows Identity
FBASQL, LDAP, Custom, …
SAML1.1+ADFS, …
CLASSIC CLAIMS
SPClaim
• Claim Type– W = Windows– F = Forms Based Authentication– T = Trusted (SAML)
• Issuer• Value• Value Type
i:0#.w|coastalpointsol\thuanle
Forms Based Authentication
• Exposed through Claims– Claims Identity instead of Generic Identity
• Implemented as a Claims Provider– Implement ValidateUser()
• STS talks to membership provider to validate user and issues a claims token
• Roles are converted to claims
Configure FBA
Create Authentication Provider
Configure Web Application to use Authentication Provider
Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
Three Web.config Changes?
• Central Admin– Enable picking of principles from any
provider• STS
– Authenticate User– Get Roles of Users (convert to claims)
• FBA Web Application– Enables People Picker
Create Authentication Provider
Configure Web Application to use Authentication Provider
Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
Claims Authentication
DEMO
Summary
• What is Claims?• How claims work in SharePoint• How to configure FBA
Questions and Answershopefully
^