SharePoint Authentication and AuthorizationLiam Cleary

About Me

• Solution Architect @ Protiviti• 7 Time SharePoint MVP• Cover Everything-SharePoint• Development• Branding• Design• Architecture• Security

• Dream about SharePoint, well sometimes

Agenda

Authentication

Authorization Claims Remember

Authentication versus Authorization• Authentication = Verification of Claim (I am Liam)• Authorization = Verification of Permission (Liam has access

to)• Authentication Precedes Authorization• Correct ID shown to Bank Teller• You are Asking to be Authenticated on the Account• Once accepted you become Authorized on the Account

• Exception to the rule• Anonymous Access can leave comments on Blog site• Anonymous users are already Authorized but not Authenticated

• Too often we focus on Authentication and not Authorization• Authentication can and does get be broken

Authentication

Authorization

Claims Terminology• Identity• Info about a Person or Object (AD, Google, Windows Live, Facebook etc.)

• Claim• Attributes of the Identity (User ID, Email, Age etc.)

• Token• Binary Representation of Identity• Set of Claims and the Signature

• Relying Party (aka RP)• Users Token

• Secure Token Service (STS)• Issuer of Tokens for Users

Claims Identity

Issuer

Claims

Claims Augmentation• What is Claims Augmentation?• Ability to intercept the incoming claims and transform to

different outgoing claims• Add additional attributes before output is generated

• Why would you need to Augment returned claims?• E.g. Retrieve user attributes from line of business application

• Types of Augmentation• Federation Gateway: Claim Mapping Transformation (Incoming

> Outgoing)• SharePoint: Claim Mapping Transformation (Incoming >

Outgoing)• Custom: Append Claim Attributes

Claims

Terminologies - Claims

i = Identity Claim, # = User Login Name, . = Type of String, w = Windows, s = STS Issued, c = Non Identity Claim, ! = Identity Provider, + = Group SID, 5 = E-mail, % = Farm ID, f = Forms Authentication, 0 = reserved for future• Windows Account - i:0#.w|domain\user

• Identity Claim – such as AUTHORITY\Authenticated Users - c:0!.s|windows

• Windows Security Group - c:0+.w|s-1-5-23-….

• Federated Authentication User - i:05.t|azure|liamcleary@msn.com

• Federation Authentication Role - c:0-.t|azure|facebook

• Local Farm Claim – SharePoint/Local Farm - c:0%.c|system|7874330e-f23b…

• Forms Authentication - i:0#.f|membershipprovider|user

Claims

Authentication – Active Directory

• Classic Authorization approach• Active Directory Users and Groups• Users Added to AD groups, AD Groups added to SharePoint

Site Groups• Single Sign On• Only if all Web Applications set to the same Authentication• Sites added to intranet zone with “auto” login enabled

• People Picker works as “name resolution” control• Specific Configuration – None Needed• Custom Components in SharePoint – Not needed

Authentication

Authentication Process – Active Directory

Authentication

1. Request Web Page (Anonymous)2. Request Windows Credentials3. Send Windows Credentials4. Validate Windows Credentials5. Obtain Group Membership List6. Create Security Token and

Authorization Token7. Send Web Page to Client with

Authorization Token

Authentication – Membership and Role Providers

• Classic .NET approach• Support Local Authentication Store• Support Remote Authentication Stores• Web Services, Remote Database Calls

• No inherent Single Sign On - Custom Code to Achieve this, namely cookie based

• Full support for base .NET Providers• Membership Provider – User Accounts and Authentication• Role Provider – Equivalent of Groups, Authorization Element• Specific Configuration needed - Central Administration,

Secure Token Service, Web Application• Custom Components in SharePoint will needed -

Welcome Control, Login Control etc.

Authentication

Authentication Process – Membership & Role Provider

Authentication

1. Request Web Page (Anonymous)2. Send SharePoint Forms Based Login Page3. Send Credentials4. Validate Credentials with User Store5. Obtain Role Membership List6. Create Security Token and Authorization Token

/ Cookie7. Send Web Page to Client with Authorization

Token / Cookie

Authentication – Custom Identity Provider

• No need for Membership and Role Provider• Single Sign Built in – Web Application needs to be set to require

Authentication • Central Managed and Entry point for all Authentication• Support Local Authentication Store• Support Remote Authentication Stores• Web Services, Remote Database Calls

• Utilizes Windows Identity Framework - Can use .NET 3.5 / 4.0• PowerShell configuration to implement• Requires Trusted Certificate for Communication• Custom Components in SharePoint will needed - Welcome

Control, Login Control etc.• SAML 1.1 and WS-F RP Protocols

Authentication

Authentication – Active Directory Federated Services

• Active Directory Connected

• Single Sign Built in – Web Application needs to be set to require Authentication

• Central Managed and Entry point for all Authentication• Support for Single or Multiple Active Directory Forests – using Trusts

• Support for other attribute stores via injected compiled code

• Pre, Post and Authentication Authorization can be performed on claim attributes

• PowerShell configuration to implement

• Requires Trusted Certificate for Communication

• SAML 1.1 and WS-F RP Protocols

• Multi-Factor Authentication Support

Authentication

Authentication Process – Identity Provider

Authentication

1. Request Web Page (Anonymous)2. Obtain Login Page from Provider3. Request SAML Security Token4. Validate Credentials with Identity Provider5. Send a SAML Security Token6. Create SharePoint Security Token and Send Page Trust

Authentication Process – Active Directory Federated Services

Authentication

1. Request Web Page (Anonymous)2. Obtain Login Page from Provider3. Request SAML Security Token4. Validate Credentials with Federated Services5. Optional: Present Multi-Factor Authentication6. Optional: Validate Multi-Factor Authentication7. Send a SAML Security Token8. Create SharePoint Security Token and Send

Page

Trust

Authentication – Azure Access Control Service

• Microsoft ADFS Type Cloud Based Service• Central Point for offloading Authentication• Supports SAML 1.1 / SAML 2.0• Support• Facebook• Google• Windows Live ID• Yahoo• Custom IDP• Integrate with Custom Identity Provider

• Open ID type authentication• Support for 3rd Party Integration• Claim Mapping through configuration• Support for Multi-Factor Authentication

Authentication

Authentication - Azure Access Control Service

Authentication

1. Request Web Page (Anonymous)2. Send to Azure ACS Provider Picker3. Redirect to Provider Login Page4. Send Credentials to Provider5. User Authenticated, Redirect to Azure ACS6. Request SAML Security Token Wrapped from

Provider7. Validate Credentials with STS8. Send a SAML Security Token9. Create SharePoint Security Token and Send Page Trust

Authentication - Azure Access Control Service+ MFA

Authentication

1. Request Web Page (Anonymous)2. Send to Azure ACS Provider Picker3. Redirect to Provider Login Page4. Send Credentials to Provider5. User Authenticated, Redirect to Azure ACS6. Request SAML Security Token Wrapped from

Provider7. Validate Credentials with STS8. Request MFA Validation9. Validate MFA Details10. Send a SAML Security Token11. Create SharePoint Security Token and Send Page

Trust

Remember

• SharePoint does this after Authentication• Is user member of group?• Is user account added to ACL of object?• Does user have required attribute?

• SharePoint only understands what it is told• e.g. Just because user logged in at? Does not authorize

• Best Approach to Authorize• Active Directory Groups• Roles from Membership and Role Provider• Claims associated to user

• Don’t just add users to groups or individually – can cause issues

• SharePoint default “DENY”

Remember

Remember

• Federation is the future• Standards based• More companies require scalable authentication• No-one wants to store accounts and passwords anymore• Microsoft future for authentication

• Best Approach for Authorization• String Comparison instead of actual Authentication• Secure token based• Attributes become claims for the authorization• No longer adding permissions by user authentication

• The Cloud “Requires” Federation• Utilize Multi-Factor Authentication

Remember

Remember

• How• Staff, Vendors, Partners, Anonymous Users or the kid next door• Take time to select an Authentication Mechanism• Do you need Single Sign On?• Single or Multiple Factor Authentication?

• Who• Internal, External, Partners and Public

• When• Business Hours• Restrictive Login Hours

• Why• Public View• Collaboration – Extranet or Intranet• Partner Access• Paid Subscription to Content

Remember

Contact & Thank You

Blog http://blog.helloitsliam.com

Twitter@helloitsliam

Email liam.cleary@protiviti.com

Contact