1 / 36

Claims based Identity in SharePoint 2010

PR11. Claims based Identity in SharePoint 2010. Venky Veeraraghavan (@ venkyv ) Program Manager Microsoft Corporation. @ SPIdentity on Twitter. Handle for the Identity team in SharePoint Follow us to get updates from us Mention us to get our attention .

fathi
Download Presentation

Claims based Identity in SharePoint 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PR11 Claims based Identity in SharePoint 2010 VenkyVeeraraghavan (@venkyv) Program Manager Microsoft Corporation

  2. @SPIdentity on Twitter • Handle for the Identity team in SharePoint • Follow us to get updates from us • Mention us to get our attention 

  3. Seamless Identity FlowIn, Through and Out of SharePoint • Use customer Identity Providers • Automatic & secure identity delegation • Authorization over application specific roles • “No-credential” access to web services • Standards based SharePoint Content Hop 3 Enterprise Web Services Hop 1 Hop 2 Web 2.0 Services Client Web Server App Server

  4. Sign-in

  5. Sign-in Scenarios • Sign-in to SharePoint with both Windows and LDAP directory Identity • Easily configure Intranet and Extranet users for Collaboration • Integrate with other customer identity systems (eg. ADFS, etc.) • Use Office Applications with non-Windows Authentication

  6. Identity Normalization -Classic -Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, etc. ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

  7. Multi-authentication demo

  8. ASP.Net Membership/Role Providers • Convert ASP.Net identity to Claims Identity • SP-STS calls Membership Provider to validate user and issues a claims token • ValidateUser() must be implemented by membership providers • Roles from Role Provider are additional claims • Mixed mode environments • All principals are available in all zones

  9. Services

  10. Services Scenarios • Show user’s PayStub in LOB data without credentials (intranet) • Show real-time order status from supplier inside the enterprise Portal (extranet) • Show information from Web2.0 sites (internet) • Securely deploy SharePoint farm(s) for user identity delegation

  11. Identity Architecture for Services Web Front End Windows Identity or Claims Identity Sign-In Web part, etc. SharePoint STS 1 Windows Identity Framework 2 Client Proxy {Token} 3 OAuth 4 Claims Token SAML App Server {Claims Principal} SharePoint STS Windows Identity Framework 5 SP Service Authorization Kerberos C/D SharePoint Service Claims2Win* Credentials Legacy LOB 6 Secure Store Service 7

  12. LOB Data Access: SAML token demo

  13. What you saw… Steps: Model uses PassThrough Users identity passed through to BCS Runtime WCF Connector requests SAML token from STS STSreturns SAML Token WCF Connector passes Token to External data source SharePoint Server SharePoint STS or External STS External List Token BCS Runtime Web Parts Logged-on user WCF Connector Custom App RST Identity SAML Token Claims Aware Service

  14. Identity and Web2.0 Services • Web2.0 authentication pattern • ‘user consent required for external application (website) to access user’s data’ • Some Examples • OAuth • Windows Live ID • Yahoo! BBAuth • Google Account Auth API (AuthSub) etc.

  15. Web 2.0 services: OAuth token demo

  16. What you saw: Initial User request SharePoint (e.g. Web part) Auth Handler Page Secure Store BDC Resource Provider (e.g. Netflix) NetFlix Authorization Service

  17. What you saw: Subsequent User requests … SharePoint (e.g. Web part) Auth Handler Page Secure Store BDC Resource Provider (e.g. Netflix) NetFlix Authorization Service

  18. Standards Used • WS-Federation 1.1 • Provides the architecture for a clean separation between trust mechanisms, security tokens formats and the protocols for obtaining tokens • WS-Trust 1.4 • How to request and receive security tokens • SAML Token 1.1 • XML vocabulary used to represent claims in an interoperable way

  19. Key Takeaways • Structural change for SharePoint • Move to Claims based Identity • Support 2007 Authentication • Address today’s and tomorrow’s challenges • Identity Provider neutral • Enterprise as well as Web 2.0 services • Built on Standards for interoperability

  20. YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com

  21. Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….

  22. Appendix

  23. How Does it Work? Provider (Live Contacts) User’s Browser Consumer app accessing user’s data from the Provider (BDC) 2. User Consent (Redirect user to login page, if not signed in) 1. Direct user to resource provider 3. Re-direct back to consumer app with token • Extract consent token 5. Access protected resource Service 6. Return requested Data (if token is valid)

  24. BCS Authentication Support Matrix n/a x x In code In code In code In code In code

  25. Office Application support • Office Client applications support non-Windows Integrated Authentication • Office 2010 on • Windows XP + IE8 • Windows Vista SP2 or IE8 • Windows 7 • Office 2007 SP2 on • Windows XP + IE8 • Windows Vista SP2 or IE8 • Windows 7

More Related