Claims for devs#spsbe

Steven Van de Craen

Thanks to ourSponsors

Platinum

Gold

Silver

About me

Steven Van de Craen

Ventigrate

SharePoint

enthousiast

Since 2005

Overview • AuthN – AuthZ

• Tokens and Claims

• What about SharePoint

• Passive sign-in

• Cookies and expiration

• Encoding

• #demos

• Wrap-up

• Resources

AuthN - AuthZ

• What is Authentication?Process of determining whether someone is who he declares to be I am @vandest1

• What is Authorization?Process of determining whether someone has the permission to do something I have Read permissions on this site

VS

Tokens and Claims

• What is a Claim?Information such as name, e-mail, age, group membership, etc.

• What is Identity?Set of attributes to describe a user

• Security TokenUser Identity as a set of claims

What about SharePoint

• Classic or Claims

• Three authentication options Windows – NTLM/Kerberos/Basic transformed into a Windows token

Forms Based Authentication – Membership and Role Provider, typical extranet with SQL or LDAP as underlying store

Trusted Identity – Outsource authentication to an Identity Provider (WLID, ADFS, custom)

• C2WTSConverts classic and claims users to a Windows token for systems that aren’t claims aware

Passivesign-in

An Identity Provider (IdP) is an authority that makes claims about an entity

An identity provider implements a Security Token Service (STS), which issues tokens

The Relying Party (your application) needs to decide which “claim” it trustsFacebook: “Steven is 18 years old”

Social Services: “Steven is 29 years old”

SAML 1.1 required http://msdn.microsoft.com/en-us/magazine/ff872350.aspx

Cookies and expiration

• Persistent vs Session

• Single Sign On for Office clients, WebDAV

• Configurable on the SharePoint STS

• SharePoint 2013 Distributed CacheStores the security token issued by a Secure Token Service. Any web server can access the

security token from the cache, authenticate the user and provide access to the resources

requested.

Encoding • ClassicWindows: DOMAIN\username

FBA: myprovider:username

• ClaimsWindows: i:0#.w|domain\username

FBA: i:0#.f|myprovider:username

• Microsoft.SharePoint.Administration.Claims

SPClaim

SPClaimProviderManager .DecodeClaim/.EncodeClaim

http://www.wictorwilen.se/Post/How-Claims-encoding-works-in-SharePoint-2010.aspx

#demos • Create a custom login pageMultiple authentication: automatic redirect

Simple audit logging

Update SPUser display name and email

• Create a custom Security Token Service

Provide centralized authentication for many Relying Parties

Single sign on across Relying Parties

Can have pluggable authentication model with multiple providers

• Create a custom claim providerAugment – Provide additional claims for the identity

Resolution – Allow name resolution for People Picker

Use claims for normalization or authorization (claims based security)

Multiple authentication

Use claims for securing content

Single sign on across RPs and apps

Decouple authentication from SharePoint

Recommended authentication model for SharePoint

Wrap-up

Resources Implementing Claims-Based Authentication with SharePoint Server 2010 – http://bit.ly/ozwB17

Claims authentication against Windows Live ID for SharePoint 2010 – http://bit.ly/aXKMCp

Converting EPiServer 6 to use claims-based authentication with WIF – http://bit.ly/c71Ipl

Ventigrate Codeplex: External User Management – http://bit.ly/JMtpc4 Claims Walkthrough: Writing Claims Providers for SharePoint 2010 – http

://bit.ly/aNPypt The Identity Guy – http://bit.ly/qYhItd How Claims encoding works in SharePoint 2010 – http://bit.ly/yqpwR7 How to Get All User Claims at Claims Augmentation Time in SharePoint

2010 – http://bit.ly/gX3V3p Custom Security Token Service (WIF 4.5) – http://bit.ly/14fGzb5 How to make use of a custom IP-STS with SharePoint 2010 – http://

bit.ly/Y7OnJB

THANK YOU

Steven Van de CraenEMAIL: steven.vandecraen@ventigrate.beBLOG: http://www.sharepointblogs.be/blogs/vandestTWITTER: @vandest1