![Page 1: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/1.jpg)
Claims Authentication
Claims Authentication
![Page 2: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/2.jpg)
AGENDA
• What is Claims?• Claims in SharePoint• Configuring and Using Claims in SharePoint
![Page 3: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/3.jpg)
My Trip
Check In Counter Boarding Gate
![Page 4: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/4.jpg)
Terminology
• Identity: security principal (end user)• Authentication: act of establishing or confirming
something• Authorisation: function of specifying access
rights to resources• Claim: statement about an identity• Security Token: set of claims that are digitally
signed by an issuing authority• Security Token Service (STS): builds, signs and
issues security tokens• Identity Provider STS (IP-STS): authenticates and
issues tokens• Relying Party: application that makes
authorisation decisions based on claims• Relying Party STS (RP-STS): transforms existing
claims and adds new claims to a token
![Page 5: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/5.jpg)
Claims at an Airport
Boarding Gate
Identity: security principal (end user)
![Page 6: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/6.jpg)
Claims At An Airport
Boarding Gate
Relying Party: application that makes authorisation decisions based on claims
![Page 7: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/7.jpg)
Claims At An Airport
Boarding Gate
Claim: statement about an identity“I am Thuan Le Cong”“My seat is 1c”
![Page 8: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/8.jpg)
Claims At An Airport
Check In Counter Boarding Gate
Identity Provider STS (IP-STS): authenticates and issues tokens
![Page 9: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/9.jpg)
Claims At An Airport
Check In Counter Boarding Gate
Security Token: set of claims that are digitally signed by an issuing authority
ClaimClaimClaimClaim
Signature
Name
Seat Number
Frequent Flyer
Toke
n
![Page 10: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/10.jpg)
Claims at An Airport
Check In Counter Boarding Gate
![Page 11: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/11.jpg)
Terminology
• Identity: security principal (end user)• Authentication: act of establishing or confirming
something• Authorisation: function of specifying access
rights to resources• Claim: statement about an identity• Security Token: set of claims that are digitally
signed by an issuing authority• Security Token Service (STS): builds, signs and
issues security tokens• Identity Provider STS (IP-STS): authenticates and
issues tokens• Relying Party: application that makes
authorisation decisions based on claims• Relying Party STS (RP-STS): transforms existing
claims and adds new claims to a token
![Page 12: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/12.jpg)
Claims in SharePoint
Check In Counter Boarding GateSharePoint WFESecurity Token Service
![Page 13: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/13.jpg)
Why Claims?
• Decouples SharePoint from Authentication
• Support for multiple authentication providers on one URL
• Enables federation
![Page 14: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/14.jpg)
Web Application – Classic• Zone: Default
• Zone: Intranet
• Zone: Internet
• Zone: Extranet
• Zone: Custom
Zones
Windows
FBA
…
…
…
Web Application – Claims• Zone: Default
Windows
FBA
• Zone: Intranet
• Zone: Internet
• Zone: Extranet
• Zone: Custom
SAML
FBA
Windows
…
…
![Page 15: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/15.jpg)
Authentication Model
• Two Authentication Modes– Classic (“Legacy”)– Claims
![Page 16: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/16.jpg)
Authentication methods
• Windows Authentication: Uses the Windows infrastructure, providing support for NTML, Kerberos, Anonymous, Basic, and Digest authentication.
• Forms-Based Authentication (FBA) Utilizes a username and password HTML form that queries a membership provider in the back-end.
• SAML token-based Authentication Uses an external identity provider that supports SAML 1.1 and WS-Federation Passive profile.
![Page 17: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/17.jpg)
Externalized Authentication
![Page 18: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/18.jpg)
Claims-based Authentication
![Page 19: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/19.jpg)
Browser Based Sign-IN
Browser Issuer Active DirectoryGet /
302AuthN
Post
SAML Token
Process TokenCookie
Cookie
Process Claims302
![Page 20: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/20.jpg)
Identity Mapping
SPUser
SAML TokenClaims Based Identity
NT TokenWindows Identity
NT TokenWindows Identity
FBASQL, LDAP, Custom, …
SAML1.1+ADFS, …
CLASSIC CLAIMS
![Page 21: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/21.jpg)
SPClaim
• Claim Type– W = Windows– F = Forms Based Authentication– T = Trusted (SAML)
• Issuer• Value• Value Type
i:0#.w|coastalpointsol\thuanle
![Page 22: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/22.jpg)
Forms Based Authentication
• Exposed through Claims– Claims Identity instead of Generic Identity
• Implemented as a Claims Provider– Implement ValidateUser()
• STS talks to membership provider to validate user and issues a claims token
• Roles are converted to claims
![Page 23: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/23.jpg)
Configure FBA
Create Authentication Provider
Configure Web Application to use Authentication Provider
Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
![Page 24: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/24.jpg)
Three Web.config Changes?
• Central Admin– Enable picking of principles from any
provider• STS
– Authenticate User– Get Roles of Users (convert to claims)
• FBA Web Application– Enables People Picker
Create Authentication Provider
Configure Web Application to use Authentication Provider
Add Membership/Role Provider web.config entries (CA, STS, FBA Web App)
![Page 25: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/25.jpg)
Claims Authentication
DEMO
![Page 26: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/26.jpg)
Summary
• What is Claims?• How claims work in SharePoint• How to configure FBA
![Page 27: Claims Based Authentication A Beginners Guide](https://reader031.vdocument.in/reader031/viewer/2022020717/548fd9d5b479598e6a8b4f3d/html5/thumbnails/27.jpg)
Questions and Answershopefully
^