1 / 46

Required Slide

Required Slide. Required Slide. SESSION CODE: OSP 306. Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication . Paul Schaeflein, MCT Manager of Advanced Technologies LaSalle Consulting Partners, Inc. Agenda. Claims-Based Identity Claims-Based Authorization

aspen
Download Presentation

Required Slide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Required Slide

  2. Required Slide SESSION CODE: OSP 306 Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication Paul Schaeflein, MCT Manager of Advanced Technologies LaSalle Consulting Partners, Inc.

  3. Agenda • Claims-Based Identity • Claims-Based Authorization • Claims Provider • Anonymous Access • Trusted Identity Providers

  4. Claims-Based Identity

  5. Claims-Based Identity primerIntroduction • What is Identity? A set of attributes to describe a user. • What is a Claim? Information such as name, e-mail, age, group membership, etc.

  6. Claims-Based Identity primerIntroduction • What is Authentication (AuthN)? The process of verifying a user’s identity. • What is Authorization (AuthZ)? Determines which sites, content, and other features the user can access.

  7. Claims-Based Identity primerUser Identity is a set of claims • Why do we say “claim” and not “attribute?” • Facebook & the Dept. of State have the age attribute • Facebook can claim 29 yrs, while State claims 46 yrs. • In order to make authorization decisions with age, your app needs to decide which “claim” you will trust. • Trust depends on scenario not on technical capability

  8. Claims is more than Federation • Federation between organizations was the original driver • Over time, claims turned out to be useful for more than just Federation • Real Benefit: Cleanly factoring out the Identity Provider from the application is invaluable • SharePoint is Identity Provider neutral • Multi-auth web applications

  9. Identity Normalization Anonymous User NT TokenWindows Identity SAML TokenLiveID, ADFS, Others ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

  10. Multi-auth Web Applications

  11. Claims-Based Identity Claims Viewer Web Part Multi-Auth web application DEMO

  12. Claims Viewer Web Part

  13. Claims Viewer Web Part IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims;

  14. Claims-Based Authorization

  15. Claims-Based Authorization • Available to securable objects thru People-Picker • Access Claims via IClaimsIdentity interface • Claims property contains all claims • Conditionally Display information • based on presence of claim • based on value of claim

  16. People Picker

  17. Claims-Based Authorization Select claim in People Picker Conditional information display DEMO

  18. Conditional Information Display

  19. Conditional Information Display IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; stringpmClaim = (from c inclaimsIdentity.Claims wherec.ClaimType == CLAIM_TYPE selectc.Value).FirstOrDefault(); boolauthorized = bool.Parse(pmClaim);

  20. Custom Claims Provider

  21. Custom SharePoint Claims Provider • Two roles • Claims Augmentation • Claims Picker • !! Not authentication !! (Use WIF classes for AuthN) • Usage Scenarios • List, Resolve and Search • AllUsers claim • Adding Claims to original token (claims augmentation) • Identity not from original token (map to internal identity)

  22. Claims ProviderClaims Augmentation • Enables an application to augment additional claims into the user’s token • Implemented as a Claims Provider class • FillClaimsForEntity called by framework • Microsoft.SharePoint.Administration.Claims.SPClaimProvider • Register in Feature Event Receiver • Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver • MSDN Article by Steve Peschka: http://msdn.microsoft.com/en-us/library/ff699494.aspx

  23. Claims ProviderClaims Picker • Provides Listing, Resolve, Search and Friendly display of claims in the People Picker • Implemented as a Claims Provider class • FillHierarchy, FillResolve, FillSearch called by framework • Microsoft.SharePoint.Administration.Claims.SPClaimProvider • Register in Feature Event Receiver • Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver • Claim Type and Values must match!

  24. Custom Claims Provider Augment claims based on database values Resolve Claims in People Picker DEMO

  25. FillClaimForEntity() method • Parameters • Context (URI) • Current user (userid claim) • Empty list to contain new claims • Called once per session • Token is passed as cookie once issued

  26. CreateClaim() Parameters • claimTypeType: StringThe type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. • value Type: StringThe value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt.  • valueType Type: StringThe type of value in the claim. These are all URIs that refer to a string.

  27. ClaimValueTypes (selected)

  28. Anonymous Access

  29. Claims in Anonymous scenario • No Claims!

  30. Establishing Anonymous Access • Web Application • Manage web application • Authentication Providers • Edit Zone • Allow Anonymous $wa = get-spwebapplication http://cba.sharepointdevelopers.net $zone = [Microsoft.SharePoint.Administration.SPUrlZone]::Custom $i = $wa.IisSettings[$zone] $i.AllowAnonymous = $true $wa.Update() $wa.ProvisionGlobally()

  31. Establishing Anonymous Access • Site (SPWeb) • Site Actions -> Site Permission • Anonymous Access • Nothing [AnonymousState.Disabled] • Entire site [AnonymousState.On] • Lists and Libraries [AnonymousState.Enabled] $w = Get-SPWeb http://www.sharepointdevelopers.net/blogs $w.AnonymousState = [Microsoft.SharePoint.SPWeb+AnonymousState]::On $w.Update()

  32. Establishing Anonymous Access • List • List Settings • Anonymous Access $w = get-spweb http://www.sharepointdevelopers.net/blogs/paul $l = $w.Lists["Comments"] $l.AnonymousPermMask64 = {BasePermissions as appropriate}

  33. Trusted Identity Providers

  34. Trusted Identity Providers • Install the certificate chain in SharePoint • Does not rely on the server! • Define unique identifier (map claim types) • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress • Set login url • Provide identifying information (realm) • Used by IP-STS to look up your return url

  35. Trusted Identity Providers • Active Directory Federation Services (ADFS) • Previously known as “Geneva server” • Windows Live ID • Open ID

  36. ADFS 2.0 • Separate Download • http://www.microsoft.com/adfs2 • Identity across organizational boundaries • Attribute stores • Active Directory • Others

  37. Windows Live ID • Extract X509 Cert from metadata • Set Return URL to _trust/default.aspx • Watch TechNet for further information

  38. Open ID • Must be “Translated” into SAML Claims • WIF code • Pioneering work • MatiasWoloski • http://blogs.southworks.net/mwoloski/2009/07/14/openid-ws-fed-protocol-transition-sts/ • Travis Nielsen • https://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=34 • Many OpenID Providers • http://openid.net/get-an-openid/

  39. Trusted Identity Providers Demo

  40. Get the slides and code • http://sharepoint.mindsharpblogs.com/Paul/TechEd2010

  41. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • Breakout Sessions – See Conference Guide for full list of OSP Track Sessions • Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT • Hands-on Labs – OSP01-HOL – OSP20-HOL • Product Demo Stations: Yellow Section, OSP • Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks & demos

  42. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Track Resources For More Information: http://sharepoint.microsoft.com • SharePoint Developer Center: http://msdn.microsoft.com/sharepoint SharePoint Tech Center: http://technet.microsoft.com/sharepoint Official SharePoint Team Blog: http://blogs.msdn.com/sharepoint

  43. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  44. Required Slide Complete an evaluation on CommNet and enter to win!

  45. Play the Microsoft Office & SharePoint Track Tag Contest Download the Microsoft Tag Reader Open the internet browser on your mobile phone and visit http://gettag.mobi Grand Prize (1) Xbox 360 Prize Package and Microsoft® Office 2010 Daily Prizes 40 copies of Microsoft® Office 2010 Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags from all OSP Track Sessions, Speakers and Expo Hall!

  46. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related