spsbe 2013 claims for devs
DESCRIPTION
SharePoint Saturday Belgium 2013 Developer meet claims, Claims for devsTRANSCRIPT
Claims for devs#spsbe
Steven Van de Craen
Thanks to ourSponsors
Platinum
Gold
Silver
About me
Steven Van de Craen
Ventigrate
SharePoint
enthousiast
Since 2005
Overview • AuthN – AuthZ
• Tokens and Claims
• What about SharePoint
• Passive sign-in
• Cookies and expiration
• Encoding
• #demos
• Wrap-up
• Resources
AuthN - AuthZ
• What is Authentication?Process of determining whether someone is who he declares to be I am @vandest1
• What is Authorization?Process of determining whether someone has the permission to do something I have Read permissions on this site
VS
Tokens and Claims
• What is a Claim?Information such as name, e-mail, age, group membership, etc.
• What is Identity?Set of attributes to describe a user
• Security TokenUser Identity as a set of claims
What about SharePoint
• Classic or Claims
• Three authentication options Windows – NTLM/Kerberos/Basic transformed into a Windows token
Forms Based Authentication – Membership and Role Provider, typical extranet with SQL or LDAP as underlying store
Trusted Identity – Outsource authentication to an Identity Provider (WLID, ADFS, custom)
• C2WTSConverts classic and claims users to a Windows token for systems that aren’t claims aware
Passivesign-in
An Identity Provider (IdP) is an authority that makes claims about an entity
An identity provider implements a Security Token Service (STS), which issues tokens
The Relying Party (your application) needs to decide which “claim” it trustsFacebook: “Steven is 18 years old”
Social Services: “Steven is 29 years old”
SAML 1.1 required http://msdn.microsoft.com/en-us/magazine/ff872350.aspx
Cookies and expiration
• Persistent vs Session
• Single Sign On for Office clients, WebDAV
• Configurable on the SharePoint STS
• SharePoint 2013 Distributed CacheStores the security token issued by a Secure Token Service. Any web server can access the
security token from the cache, authenticate the user and provide access to the resources
requested.
Encoding • ClassicWindows: DOMAIN\username
FBA: myprovider:username
• ClaimsWindows: i:0#.w|domain\username
FBA: i:0#.f|myprovider:username
• Microsoft.SharePoint.Administration.Claims
SPClaim
SPClaimProviderManager .DecodeClaim/.EncodeClaim
http://www.wictorwilen.se/Post/How-Claims-encoding-works-in-SharePoint-2010.aspx
#demos • Create a custom login pageMultiple authentication: automatic redirect
Simple audit logging
Update SPUser display name and email
• Create a custom Security Token Service
Provide centralized authentication for many Relying Parties
Single sign on across Relying Parties
Can have pluggable authentication model with multiple providers
• Create a custom claim providerAugment – Provide additional claims for the identity
Resolution – Allow name resolution for People Picker
Use claims for normalization or authorization (claims based security)
Multiple authentication
Use claims for securing content
Single sign on across RPs and apps
Decouple authentication from SharePoint
Recommended authentication model for SharePoint
Wrap-up
Resources Implementing Claims-Based Authentication with SharePoint Server 2010 – http://bit.ly/ozwB17
Claims authentication against Windows Live ID for SharePoint 2010 – http://bit.ly/aXKMCp
Converting EPiServer 6 to use claims-based authentication with WIF – http://bit.ly/c71Ipl
Ventigrate Codeplex: External User Management – http://bit.ly/JMtpc4 Claims Walkthrough: Writing Claims Providers for SharePoint 2010 – http
://bit.ly/aNPypt The Identity Guy – http://bit.ly/qYhItd How Claims encoding works in SharePoint 2010 – http://bit.ly/yqpwR7 How to Get All User Claims at Claims Augmentation Time in SharePoint
2010 – http://bit.ly/gX3V3p Custom Security Token Service (WIF 4.5) – http://bit.ly/14fGzb5 How to make use of a custom IP-STS with SharePoint 2010 – http://
bit.ly/Y7OnJB
THANK YOU
Steven Van de CraenEMAIL: [email protected]: http://www.sharepointblogs.be/blogs/vandestTWITTER: @vandest1