Download - Thomas vochten claims-spsbe26
Thomas Vochten
Claims based authentication for mere mortals
#SPSBE
#SPSBE26
About me
Thomas Vochten
@thomasvochtenthomasvochten.comlinkedin.com/in/thomasvochten
consultantplatform architectlousy developeraccidental dbaSharePoint
SQL Server
A big thanks to our sponsors
Venue Sponsor
Platinum Sponsors
Gold Premium Sponsors
Gold Sponsors
Agenda
• Claims Based Identity
• Claims within SharePoint 2010
• Claim Providers
• Windows Claims
• Trusted Provider claims
• Federation & Single Sign On
• Claims in the Real World
Claims based identity
Who do you trust?
Claims based identity
• Not a new concept
• Claims provide abstraction
• Authentication (AuthN) versus Authorization (AuthZ)
• AuthZ decision are based on claims
Setting the scene
• Claim
• Security Token
• Identity Provider (IdP)
• Relying Party (RP)
• Security Token Service (STS)
• Realm
Claim
Claim
Claim
Claim
Signature
Name
Age
Location
Token
AuthZ
AuthN
Claims within SharePoint 2010
3 types of claim providers
• Windows
• Trusted Provider
• Forms Based Authn
Multiple Authn providers possible in the same zone
Be sure to be at Service Pack 1 with June 2011 CU minimum
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBAAuthentication
...
...
...
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows AuthenticationFBA Authentication
SAML Based AuthenticationFBA Authentication
Windows Authentication
...
...
Multiple Authentication Providers
Multiple Authentication Providers
Identity Normalization
NT TokenWindows Identity
ASP.Net (FBA)LDAP, Custom …
SAML TokenLiveID, ADFS, Others Anonymous User
SAML TokenClaims Based Identity
SPUser
Identity Claim Format
i:0#.t|federation|thomasvochteni:0#.w|lab\thomasvochten
Claims Providers
• Augmentation of claims
• Resolution of claims
Windows Claims
• NTLM or Kerberos
• Automatic sign in
• Used by SharePoint internally
• Claims to Windows Token Service for outbound claims (c2wts)
Claims Provider Functions
• Augmentation with Windows security groups
• People picker does lookups in Active Directory
Migrating to Windows Claims
• Planning is crucial
• Classic to claims only
• No way back
• 2 step process:
Changing the web application to use claimsMigrating the user identities
Demo
Exploring Windows Claims
Trusted Provider claims
• SharePoint as relying party
• Needs an external identity provider such as ADFS
• Based on open standards (SAML, WS-*)
• Logging in: just a bunch of redirects
• Migration not out of the box (custom code needed)
Setup
• Setup identity provider
• Setup trust via PowerShell
Claims Provider functions
• Nothing out of the box (custom code needed)
Active Directory
LiveID
ASP.net Membership Trust
SharePointSTS
Client
SharePoint
Service token request5
Identity ProviderSecurity Token Service
(IP-STS)
SAML Based
SharePointAuthorization
ClaimsProviders
Trust
Request Resource with service token
7
Security token response6
Demo
Exploring Trusted Provider Claims
Federation & Single Sign On
• Chain of trusted/trusting identity providers
• Multiple use cases
extranet accessmergers & acquisitionscross-forest authentication
• Single Sign On possibilities
• Integration with other systems like FIM, UAG or ACS
Claims in the real world
• When would you use claims based AuthN?
• Integration with other applications like Office
• Some stuff will break or doesn’t support claims!
• Choose your unique ID wisely
• You will probably need a custom claims provider
• Home realm discovery
• Learn to give up control
• Test test test
Some last considerations…
• Use SSL
• Kerberos is not dead
• Choose your unique ID wisely
• Software prerequisites
• Token cache settings
• No 2 factor AuthN out of the box
• Custom claims provider on app server
• FAST document preview
• Debatable workaround for c2wts
• SQL, PowerPivot, PerfPoint, UPA,...
• SAML claims has the most functional issues
• Next wave of MS products
RESOURCES• A guide to claims based identity and access control (2nd edition), MSDN
• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet
• Steve Peschka’s blog
Links & more resources available on my blog at http://thomasvochten.com
We need your feedback!
Scan this QR code or visit http://svy.mk/sps2012be
Our sponsors: