thomas vochten claims-spsbe26
DESCRIPTION
In this session we will go through the basics of claims based authentication. What is it and what does it bring to the table? We will provide an overview of some basic and more advanced scenarios in which you would want to use claims based authentication. We will also touch upon related concepts like federated identity and single sign-on.Furthermore, we will cover some real world implementation tips that might come in handy when considering claims based authentication before taking this route. There are some very common issues that you better be aware of.This session is primarily targeted at SharePoint administrators, e.g. we won't go into details on development topics such as custom claims providers although we will touch upon the subject.TRANSCRIPT
![Page 1: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/1.jpg)
Thomas Vochten
Claims based authentication for mere mortals
#SPSBE
#SPSBE26
![Page 2: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/2.jpg)
About me
Thomas Vochten
@thomasvochtenthomasvochten.comlinkedin.com/in/thomasvochten
consultantplatform architectlousy developeraccidental dbaSharePoint
SQL Server
![Page 3: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/3.jpg)
A big thanks to our sponsors
Venue Sponsor
Platinum Sponsors
Gold Premium Sponsors
Gold Sponsors
![Page 4: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/4.jpg)
Agenda
• Claims Based Identity
• Claims within SharePoint 2010
• Claim Providers
• Windows Claims
• Trusted Provider claims
• Federation & Single Sign On
• Claims in the Real World
![Page 5: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/5.jpg)
Claims based identity
Who do you trust?
![Page 6: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/6.jpg)
Claims based identity
• Not a new concept
• Claims provide abstraction
• Authentication (AuthN) versus Authorization (AuthZ)
• AuthZ decision are based on claims
![Page 7: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/7.jpg)
Setting the scene
• Claim
• Security Token
• Identity Provider (IdP)
• Relying Party (RP)
• Security Token Service (STS)
• Realm
![Page 8: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/8.jpg)
Claim
Claim
Claim
Claim
Signature
Name
Age
Location
Token
![Page 9: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/9.jpg)
AuthZ
AuthN
![Page 10: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/10.jpg)
Claims within SharePoint 2010
3 types of claim providers
• Windows
• Trusted Provider
• Forms Based Authn
Multiple Authn providers possible in the same zone
Be sure to be at Service Pack 1 with June 2011 CU minimum
![Page 11: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/11.jpg)
Regular label-callout text
Multi-AuthenticationMixed Authentication
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows Authentication
FBAAuthentication
...
...
...
SharePointFarm
Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Extended Web Application
Zone: Custom
Zone: Extranet
Zone: Intranet
Zone: Internet
Zone: DefaultWindows AuthenticationFBA Authentication
SAML Based AuthenticationFBA Authentication
Windows Authentication
...
...
Multiple Authentication Providers
![Page 12: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/12.jpg)
Multiple Authentication Providers
![Page 13: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/13.jpg)
Identity Normalization
NT TokenWindows Identity
ASP.Net (FBA)LDAP, Custom …
SAML TokenLiveID, ADFS, Others Anonymous User
SAML TokenClaims Based Identity
SPUser
![Page 14: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/14.jpg)
Identity Claim Format
i:0#.t|federation|thomasvochteni:0#.w|lab\thomasvochten
![Page 15: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/15.jpg)
Claims Providers
• Augmentation of claims
• Resolution of claims
![Page 16: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/16.jpg)
Windows Claims
• NTLM or Kerberos
• Automatic sign in
• Used by SharePoint internally
• Claims to Windows Token Service for outbound claims (c2wts)
Claims Provider Functions
• Augmentation with Windows security groups
• People picker does lookups in Active Directory
![Page 17: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/17.jpg)
Migrating to Windows Claims
• Planning is crucial
• Classic to claims only
• No way back
• 2 step process:
Changing the web application to use claimsMigrating the user identities
![Page 18: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/18.jpg)
Demo
Exploring Windows Claims
![Page 19: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/19.jpg)
Trusted Provider claims
• SharePoint as relying party
• Needs an external identity provider such as ADFS
• Based on open standards (SAML, WS-*)
• Logging in: just a bunch of redirects
• Migration not out of the box (custom code needed)
Setup
• Setup identity provider
• Setup trust via PowerShell
Claims Provider functions
• Nothing out of the box (custom code needed)
![Page 20: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/20.jpg)
Active Directory
LiveID
ASP.net Membership Trust
SharePointSTS
Client
SharePoint
Service token request5
Identity ProviderSecurity Token Service
(IP-STS)
SAML Based
SharePointAuthorization
ClaimsProviders
Trust
Request Resource with service token
7
Security token response6
![Page 21: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/21.jpg)
Demo
Exploring Trusted Provider Claims
![Page 22: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/22.jpg)
Federation & Single Sign On
• Chain of trusted/trusting identity providers
• Multiple use cases
extranet accessmergers & acquisitionscross-forest authentication
• Single Sign On possibilities
• Integration with other systems like FIM, UAG or ACS
![Page 23: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/23.jpg)
![Page 24: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/24.jpg)
Claims in the real world
• When would you use claims based AuthN?
• Integration with other applications like Office
• Some stuff will break or doesn’t support claims!
• Choose your unique ID wisely
• You will probably need a custom claims provider
• Home realm discovery
• Learn to give up control
• Test test test
![Page 25: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/25.jpg)
Some last considerations…
• Use SSL
• Kerberos is not dead
• Choose your unique ID wisely
• Software prerequisites
• Token cache settings
• No 2 factor AuthN out of the box
• Custom claims provider on app server
• FAST document preview
• Debatable workaround for c2wts
• SQL, PowerPivot, PerfPoint, UPA,...
• SAML claims has the most functional issues
• Next wave of MS products
![Page 26: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/26.jpg)
RESOURCES• A guide to claims based identity and access control (2nd edition), MSDN
• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet
• Steve Peschka’s blog
Links & more resources available on my blog at http://thomasvochten.com
![Page 27: Thomas vochten claims-spsbe26](https://reader036.vdocuments.net/reader036/viewer/2022081400/555e7d69d8b42abd468b48e8/html5/thumbnails/27.jpg)
We need your feedback!
Scan this QR code or visit http://svy.mk/sps2012be
Our sponsors: