1 / 24

Claims Identity in SharePoint 2010

Claims Identity in SharePoint 2010. Paul Schaeflein Schaeflein Consulting. About Me. Developer Trainer Hockey Fan. CLAIMS-BASED IDENTITY Introduction. What is Identity? A set of attributes to describe a user. What is a Claim?

MikeCarlo
Download Presentation

Claims Identity in SharePoint 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Claims Identity in SharePoint 2010 Paul Schaeflein Schaeflein Consulting

  2. About Me • Developer • Trainer • Hockey Fan

  3. CLAIMS-BASED IDENTITYIntroduction • What is Identity? • A set of attributes to describe a user. • What is a Claim? • Information such as name, e-mail, age, group membership, etc.

  4. CLAIMS-BASED IDENTITYIntroduction • What is Authentication (AuthN)? • The process of verifying a user’s identity. • What is Authorization (AuthZ)? • Determines which sites, content, and other features the user can access.

  5. CLAIMS-BASED IDENTITYIntroduction • User Identity is a set of claims • Why do we say “claim” and not “attribute”? • On Facebook, I live in Chicago • On my Driver’s License, I live in Rolling Meadows • Board of Elections uses Driver’s License, not Facebook • In order to make authorization decisions with age, your app needs to decide which “claim” you will trust. • Trust depends on scenario not on technical capability

  6. AUTHENTICATIONIdentity Provider • TokenIssuer • Has storage of users (Active Directory, Database, etc.) • Performs authentication (Password, Biometric, Smart Card, etc.) • Attributes • Group / Role membership • Other (Organizational requirements)

  7. AUTHENTICATIONIdentity Provider • <saml:AttributeAttributeName="emailaddress" • AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> • <saml:AttributeValue>administrator@lt-virt.com</saml:AttributeValue> • </saml:Attribute> • <saml:AttributeAttributeName="Group"AttributeNamespace="http://schemas.xmlsoap.org/claims"> • <saml:AttributeValue>S-1-5-21-3539477023-2881096182-2465416113-513</saml:AttributeValue> • <saml:AttributeValue>S-1-5-21-3539477023-2881096182-2465416113-520</saml:AttributeValue> • <saml:AttributeValue>S-1-5-21-3539477023-2881096182-2465416113-512</saml:AttributeValue> • <saml:AttributeValue>S-1-5-21-3539477023-2881096182-2465416113-518</saml:AttributeValue> • <saml:AttributeValue>S-1-5-21-3539477023-2881096182-2465416113-519</saml:AttributeValue> • </saml:Attribute>

  8. AUTHENTICATIONToken Issuance patterns & practicesClaims Based Identity and Access Control Guidehttp://claimsid.codeplex.com

  9. AUTHENTICATION & SHAREPOINTChanges in SharePoint 2010 Windows SharePoint Services v3 SharePoint Foundation 2010 Authentication Methods Classic Mode Windows NT Forms-Based Claims Mode Windows NT Forms-Based SAML 1.1, WS-Fed Zones Multiple methods per zone Use default for most secure access Search crawler requires NTLM on a zone • Authentication Methods • Windows NT • Forms-Based • Zones • One AuthN method per zone

  10. AUTHENTICATION & SHAREPOINTMulti-Auth zone Anonymous User NT TokenWindows Identity SAML TokenLiveID, ADFS, Others ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

  11. Multi-Auth Zone demo

  12. Identity Provider • Known as Trusted Identity Token Issuer • Configured in SharePoint via PowerShell • Activated in web application via Central Administration

  13. Configure Identity Provider demo

  14. IDENTITY PROVIDERFarm configuration • $cert = New-Object ` • System.Security.Cryptography.X509Certificates.X509Certificate2("C:\cert.cer") • $map1 = New-SPClaimTypeMapping -IncomingClaimTypeDisplayName "EmailAddress" ` • -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ` • -SameAsIncoming • $realm = "urn:" + $env:ComputerName + ":adfs" • $signinurl = "https://demo2010a/adfs/ls/" • $ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0" ` • -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 ` • -SigninUrl $signinurl -IdentifierClaim $map1.InputClaimType

  15. IDENTITY PROVIDERWeb Application configuration

  16. Claims in SharePoint • What is different? • User login name • People Picker behavior • Custom claim provider can improve usability • What works? • What does not work? • Claims to Windows Token Service

  17. People Picker demo

  18. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. TechEd Resources • SIM325 Deep Dive: Windows Identity Foundation for Developers • SIM 322 Developer’s View of Single Sign-On for Applications using Win Azure • SIM 324 Using Windows Azure Access Control Service 2.0

  19. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  20. Required Slide Complete an evaluation on CommNet and enter to win!

  21. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related