thomas vochten claims-spsbe26
DESCRIPTION
In this session we will go through the basics of claims based authentication. What is it and what does it bring to the table? We will provide an overview of some basic and more advanced scenarios in which you would want to use claims based authentication. We will also touch upon related concepts like federated identity and single sign-on.Furthermore, we will cover some real world implementation tips that might come in handy when considering claims based authentication before taking this route. There are some very common issues that you better be aware of.This session is primarily targeted at SharePoint administrators, e.g. we won't go into details on development topics such as custom claims providers although we will touch upon the subject.TRANSCRIPT
Thomas Vochten
Claims based authentication for mere mortals
#SPSBE
#SPSBE26
About me
Thomas Vochten
@thomasvochtenthomasvochten.comlinkedin.com/in/thomasvochten
consultantplatform architectlousy developeraccidental dbaSharePoint
SQL Server
A big thanks to our sponsors
Venue Sponsor
Platinum Sponsors
Gold Premium Sponsors
Gold Sponsors
Agenda
• Claims Based Identity
• Claims within SharePoint 2010
• Claim Providers
• Windows Claims
• Trusted Provider claims
• Federation & Single Sign On
• Claims in the Real World
Claims based identity
Who do you trust?
Claims based identity
• Not a new concept
• Claims provide abstraction
• Authentication (AuthN) versus Authorization (AuthZ)
• AuthZ decision are based on claims
Setting the scene
• Claim
• Security Token
• Identity Provider (IdP)
• Relying Party (RP)
• Security Token Service (STS)
• Realm
Claim
Claim
Claim
Claim
Signature
Name
Age
Location
Token
AuthZ
AuthN
Claims within SharePoint 2010
3 types of claim providers
• Windows
• Trusted Provider
• Forms Based Authn
Multiple Authn providers possible in the same zone
Be sure to be at Service Pack 1 with June 2011 CU minimum
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBAAuthentication
...
...
...
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows AuthenticationFBA Authentication
SAML Based AuthenticationFBA Authentication
Windows Authentication
...
...
Multiple Authentication Providers
Multiple Authentication Providers
Identity Normalization
NT TokenWindows Identity
ASP.Net (FBA)LDAP, Custom …
SAML TokenLiveID, ADFS, Others Anonymous User
SAML TokenClaims Based Identity
SPUser
Identity Claim Format
i:0#.t|federation|thomasvochteni:0#.w|lab\thomasvochten
Claims Providers
• Augmentation of claims
• Resolution of claims
Windows Claims
• NTLM or Kerberos
• Automatic sign in
• Used by SharePoint internally
• Claims to Windows Token Service for outbound claims (c2wts)
Claims Provider Functions
• Augmentation with Windows security groups
• People picker does lookups in Active Directory
Migrating to Windows Claims
• Planning is crucial
• Classic to claims only
• No way back
• 2 step process:
Changing the web application to use claimsMigrating the user identities
Demo
Exploring Windows Claims
Trusted Provider claims
• SharePoint as relying party
• Needs an external identity provider such as ADFS
• Based on open standards (SAML, WS-*)
• Logging in: just a bunch of redirects
• Migration not out of the box (custom code needed)
Setup
• Setup identity provider
• Setup trust via PowerShell
Claims Provider functions
• Nothing out of the box (custom code needed)
Active Directory
LiveID
ASP.net Membership Trust
SharePointSTS
Client
SharePoint
Service token request5
Identity ProviderSecurity Token Service
(IP-STS)
SAML Based
SharePointAuthorization
ClaimsProviders
Trust
Request Resource with service token
7
Security token response6
Demo
Exploring Trusted Provider Claims
Federation & Single Sign On
• Chain of trusted/trusting identity providers
• Multiple use cases
extranet accessmergers & acquisitionscross-forest authentication
• Single Sign On possibilities
• Integration with other systems like FIM, UAG or ACS
Claims in the real world
• When would you use claims based AuthN?
• Integration with other applications like Office
• Some stuff will break or doesn’t support claims!
• Choose your unique ID wisely
• You will probably need a custom claims provider
• Home realm discovery
• Learn to give up control
• Test test test
Some last considerations…
• Use SSL
• Kerberos is not dead
• Choose your unique ID wisely
• Software prerequisites
• Token cache settings
• No 2 factor AuthN out of the box
• Custom claims provider on app server
• FAST document preview
• Debatable workaround for c2wts
• SQL, PowerPivot, PerfPoint, UPA,...
• SAML claims has the most functional issues
• Next wave of MS products
RESOURCES• A guide to claims based identity and access control (2nd edition), MSDN
• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet
• Steve Peschka’s blog
Links & more resources available on my blog at http://thomasvochten.com
We need your feedback!
Scan this QR code or visit http://svy.mk/sps2012be
Our sponsors: