sharepoint saturday austin - share point authentication and authorization
DESCRIPTION
SharePoint Saturday Austin - Share point authentication and authorizationTRANSCRIPT
![Page 1: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/1.jpg)
SharePoint Authentication and AuthorizationLiam ClearySolution Architect | SharePoint MVP
![Page 2: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/2.jpg)
• Please turn off all electronic devices or set them to vibrate.• If you must take a phone call, please do so in the hall so as not
to disturb others.• Open wireless access is available with no password• Feel free to “tweet and blog” during the session• Thanks to our Title Sponsors:
Thank you for being a part of the first SharePoint Saturday Austin
![Page 3: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/3.jpg)
About Me• Solution Architect @ SusQtech (Winchester, VA)• SharePoint MVP since 2007• Working with SharePoint since 2002• Worked on all kinds of projects• Internet• Intranet• Extranet• Anything SharePoint Really
• Involved in Architecture, Deployment, Customization and Development of SharePoint
![Page 4: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/4.jpg)
You can teach a student a lesson for a day; but if you can teach him / her to learn by creating curiosity, they will continue the learning process as long as they live. Clay P. Bedford
![Page 5: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/5.jpg)
I am hoping for a different kind of Curiosity today
![Page 6: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/6.jpg)
Agenda• Security in General• Security with SharePoint• Authentication• Authorization• Authentication vs. Authorization• Claims Authentication / Authorization• Options Available• Membership & Role Providers• Identity Provider• Cloud Based Services
• Art of Authorization• Things to Remember
![Page 7: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/7.jpg)
Security in General
Dictionary Definition:
• Freedom from danger, risk, etc.; safety. • Freedom from care, anxiety, or doubt; well-founded
confidence. • Something that secures or makes safe; protection; defense. • Freedom from financial cares or from want: The insurance
policy gave the family security. • Precautions taken to guard against crime, attack, sabotage, espionage
![Page 8: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/8.jpg)
![Page 9: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/9.jpg)
Security with SharePoint• Isn't this an oxymoron? Just kidding!!
![Page 10: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/10.jpg)
Security with SharePoint
How does security come into play with SharePoint?• Same questions as the previous security• How, Who, When and often Why
• Content specific security• Role based as well is individual security• Collaboration security• Cross Team• Cross Organizational• Cross Company
• Specific permission sets for types of access and functionality
![Page 11: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/11.jpg)
Authentication – What is?
Dictionary Definition:• To establish as genuine. • To establish the authorship or origin of conclusively or
unquestionably, chiefly by the techniques of scholarship: to authenticate a painting.
• To make authoritative or valid.
![Page 12: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/12.jpg)
Authentication – Types of?• Windows• NTLM• Kerberos• Basic• Anonymous• Digest
• Forms-based Authentication• Lightweight Directory Access Protocol (LDAP)• Microsoft SQL Server• ASP.NET Membership and Role Providers
• SAML Token-based Authentication• Active Directory Federated Services• 3rd Party Identity Provider• Lightweight Directory Access Protocol (LDAP)
![Page 13: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/13.jpg)
Authorization – What is?
Dictionary Definition:• The act of authorizing. • Permission or power granted by an authority; sanction.• To give authority or official power to; • To give authority for; formally sanction (an act or proceeding):• To establish by authority or usage:
![Page 14: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/14.jpg)
Authentication vs. Authorization• Misunderstood Terminology• Users, IT and Developers
• Authentication = Verification of Claim (I am Liam)• Authorization = Verification of Permission (Liam has access to)• Authentication Precedes Authorization• Correct ID shown to Bank Teller• You are Asking to be Authenticated on the Account• Once accepted you become Authorized on the Account
• Exception to the rule• Anonymous Access can leave comments on Blog site• Anonymous users are already Authorized but not Authenticated
• Too often we focus on Authentication and not Authorization• We expect our users, clients etc. to just inherently know what they are to
do• We often forget that Authentication can be broken, but Authorization is
slightly more complicated
![Page 15: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/15.jpg)
Authentication – Claims
SharePoint 2010 Introduced Claims Authentication
![Page 16: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/16.jpg)
Authentication – ClaimsWhy introduce Claims Authentication?• Wide Support• Standards Based
• WS-Federation 1.1• WS-Trust 1.4• SAML Token 1.1 AuthN
• Single Sign On• Federation
• Already many providers, Live, Google, Facebook etc• Microsoft standard approach• Fed up custom coding everything, every time• Gets round (some) Office Integration problems• Easy to configure with little effort
• Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider
![Page 17: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/17.jpg)
Authentication – Claim Terminology
• Identity• Info about a Person or Object (AD, Google, Windows Live,
Facebook etc.)• Claim• Attributes of the Identity (User ID, Email, Age etc.)
• Token• Binary Representation of Identity• Set of Claims and the Signature
• Relying Party (aka RP)• Users Token
• Secure Token Service (STS)• Issuer of Tokens for Users
![Page 18: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/18.jpg)
Authentication – Sign In Process
1. Resource Requested2. AuthN Request / Redirect3. AuthN Request4. Security Token5. Security Token Request6. Service Token7. Resource Request w/Service Token8. Resource Sent
Identity Provider Security Token Service
aka IP-STS
SharePoint 2010aka RP
![Page 19: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/19.jpg)
DEMOSign-In Process with Identity Provider
![Page 20: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/20.jpg)
Authentication – Membership & Role Providers
• Classic .NET approach• Support Local Authentication Store• Support Remote Authentication Stores
• Web Services, Remote Database Calls
• No inherent Single Sign On• Custom Code to Achieve this, namely cookie based
• Full support for base .NET Providers• Membership Provider – User Accounts and Authentication• Role Provider – Equivalent of Groups, Authorization Element• Specific Configuration needed for each Web Application• Central Administration• Secure Token Service• Web Application
• Extensive “web.config” entries needed• Custom Components in SharePoint will needed• Welcome Control, Login Control etc.
![Page 21: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/21.jpg)
Authentication – Custom Identity Provider
• No need for Membership and Role Provider• Can still be used – NOTE: Membership User Approach
• Single Sign Built in – Web Application needs to be set to require Authentication not Anonymous
• Central Managed and Entry point for all Authentication• Support Local Authentication Store• Support Remote Authentication Stores
• Web Services, Remote Database Calls
• Utilizes Windows Identity Framework• Can use .NET 3.5 / 4.0
• PowerShell configuration to implement• Requires Trusted Certificate for Communication• Custom Components in SharePoint will needed• Welcome Control, Login Control etc.
![Page 22: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/22.jpg)
Authentication - Azure Control Service
• Microsoft ADFS Type Cloud Based Service• Central Point for offloading Authentication• Supports SAML 1.1 / SAML 2.0• Support
• Facebook• Google• Windows Live ID• Yahoo• Custom IDP• Integrate with Custom Identity Provider
• Open ID type authentication
• Support for 3rd Party Integration• Claim Mapping through configuration
![Page 23: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/23.jpg)
DEMOCreate Identity Provider
![Page 24: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/24.jpg)
Authentication – Identity Provider
• Deployment into separate Web Site• https://sts.company.com
• Use SSL for all communication• Ensure SharePoint 2010 trusts the certificate being used by
the Provider• Methods of override:• Authenticate User• GetClaimTypeForRole• GetOutputClaimsIdentity
• Create User Class – methods to get values from backend into claims
• Create Claim Types class• Create custom login methods and validation
![Page 25: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/25.jpg)
Authorization
• SharePoint does this after Authentication• Is user member of group?• Is user account added to ACL of object?• Does user have required attribute?
• SharePoint only understands what it is told• e.g. Just because user logged in at? Does not authorize
• Best Approach to Authorize• Active Directory Groups• Roles from Membership and Role Provider• Claims associated to user
• Don’t just add users to groups or individually – can cause issues
• SharePoint default “DENY”
![Page 26: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/26.jpg)
SharePoint AuthorizationAnonymous
Authentication
Is In Site Group?
Does user have claim attribute?
Web Application / Site Collection
Secured Site / Site Collection / Content
Content Repository
Content
![Page 27: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/27.jpg)
Expected the Unexpected
![Page 28: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/28.jpg)
Security – Real World
• Expect the unexpected• People will find a way to circumvent your security• Give users minimal permission• Starting with Less is good• Add functionality through permission as needed
• Be prepared to secure at all levels• Web Application• Site Collection• Site• List or Library• Item
• Use roles from Provider• Active Directory Groups• Membership and Role Provider Roles• Claims
![Page 29: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/29.jpg)
Thank You• Personal Email: [email protected]• Work: http://www.susqtech.com • Twitter: @helloitsliam • Blog: www.helloitsliam.com
![Page 30: SharePoint Saturday Austin - Share point authentication and authorization](https://reader035.vdocument.in/reader035/viewer/2022062704/5558756bd8b42aaa7e8b53cf/html5/thumbnails/30.jpg)
Thanks to our Sponsors