360 likes | 695 Views
SVC26. How Microsoft SharePoint 2010 is built with Windows Identity Foundation. Sesha Mani Senior Program Manager Microsoft Corporation. Agenda. SharePoint 2007 – identity challenges Claims-based identity and Windows Identity Foundation (WIF)
E N D
SVC26 How Microsoft SharePoint 2010 is built with Windows Identity Foundation Sesha Mani Senior Program Manager Microsoft Corporation
Agenda • SharePoint 2007– identity challenges • Claims-based identity and Windows Identity Foundation (WIF) • SharePoint 2010 – new identity architecture – “Claims-based identity” • Map new architecture to customer’s existing problems & future needs
SharePoint 2007 – Identity Challenges • 1.Authentication is intertwined within SharePoint 2007 • 2. Requires complex configuration for identity delegation • 3. Access control only through attribute providers • Active Directory, Role Providers • Are these challenges unique to SharePoint 2007? • These are identity challenges common to all applications… • What is the solution? What do we need to do?
And we did … NEW path to identity in SP2010 …
SharePoint 2010 – Identity Flow SharePoint 2007 – Identity Flow SAML Web SSO ASP.Net (FBA) Windows Windows integrated Roles protected Anonymous access Membership & Role Providers Windows Identity Claims-aware Claims protected Claims Based Identity Trusted sub-systems WebSSO WIF WIF WIF – SPSTS SP-STS Authentication methods Access control Services Application Framework Auth App logic SharePoint Service Applications SharePoint Web Application Content Database Client Windows Identity
Benefits of claims model for SharePoint 2010 • Support existing identity infrastructure • Active Directory • LDAP, SQL • WebSSO and Identity Management Systems • Multiple authentication methods per SharePoint Web Application • Enable automatic, secure identity delegation • Cross-machines & cross-farm • Support “no-credential” connections to External web services • Standards-based and Interoperable
Identity in SharePoint 2010 is built on WIF • Fundamental shift in identity in SP2010 • Windows Identity Foundation (WIF) • Framework for building claims-aware applications & STS • Standards-based and interoperable • Targets ASP.NET and WCF developers • WS-Federation (Passive) ASP.NET • WS-Trust (Active) WCF • Offers unified programming model
Three Themes “Externalizing Authentication” <Identity into SharePoint> “Support existing identity infrastructure” <Identity inside SharePoint> “Identity normalization” <Identity inside/out of SharePoint> Auth IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF – SPSTS Access control Authentication methods Services Application Framework App logic SharePoint Web Application Search Services Application Content Database Client
Theme-1: Externalizing Authentication “Externalizing Authentication” “Support existing identity infrastructure” “Identity normalization” “Externalizing Authentication” Auth IPrincipal SP-STS IClaimsPrincipal Auth SP-STS WIF WIF WIF – SPSTS WIF – SPSTS Access control Authentication methods Services Application Framework App logic App logic SharePoint Web Application Search Services Application Content Database Client SharePoint Web Application
“Externalizing Authentication” - Sign-In Methods • Sign-in methods supported in SP2010: -Classic -Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, etc. ASP.Net (FBA)SQL, LDAP, Custom … SAML Token Claims Based Identity SPUser
“Externalizing Authentication” – 1000 ft view Fabrikam Enterprise Farm-A Windows claims SharePoint-STS • 2.2 Augment claims • 2.1 Authenticate user • 2. Redirect • to STS for auth 3. Post Token {SP-Token} trust Frank Miller SharePoint Web Application 3.1 Extract Claims and construct IClaimsPrincipal 1. Attempt access
“Externalizing Authentication” – 50 ft view • Scenario: Web application configured with Windows Claims SharePoint-STS Web Application Security Token Service Session Authentication Module Cookie Management 5 6 2 4 WS-Federation Passive Serializer Windows Authentication Module WS-Federation Authentication Module 3 1 7 IIS ASP.NET Browser Client 8. Cookie
Externalizing authentication in SharePoint 2010 using WIF demo
Theme-2: Identity Normalization “Externalizing Authentication” “Support existing identity infrastructure” “Identity normalization” “Identity normalization” Auth IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF WIF – SPSTS Access control Access control Authentication methods Services Application Framework App logic SharePoint Web Application SharePoint Web Application Search Services Application Search Services Application Content Database Client
SharePoint Services Scenarios • Show user’s PayStub in LOB data without credentials (intranet) • Show real-time order status from supplier inside the enterprise Portal (extranet or internet) • Securely deploy SharePoint farm(s) for user identity delegation • Access external services – Business Connectivity Services
Services in SharePoint 2010 – a primer Excel Services Project Services Search Services Secure Store Services Other Services • SharePoint Services Application Framework is made claims-aware • WIF enables services to have access to both user and service identities SharePoint Services Application Framework (Claims/Services) WIF (Windows Identity Foundation) WSTrust Support WCF (Windows Communication Foundation) .NET
“Identity normalization” – Services in Single Farm WIF – Identity Delegation Feature FARM-A Fabrikam Enterprise Farm-A Web App to Service SharePoint-STS WS-Trust Endpoints trust 3 2 T1 {User} T2 {User, Process} Search Services Application Web Part 5 WS-Trust Proxy Client Gate Keeper 6 T2 4 1
“Identity normalization” – Services in Cross-farm WIF – Identity Delegation Feature FARM-A FARM-A FARM-A FARM-B FARM-B Fabrikam Enterprise Farm-A to Farm-B Web App to Service SharePoint-STS SharePoint-STS WS-Trust Endpoints WS-Trust Endpoints trust trust trust 3 2 Search Services Application Web Part 5 WS-Trust Proxy Client Gate Keeper 6 4 1
Theme-3: Non-claims aware services “Externalizing Authentication” “Support existing identity infrastructure” “Support existing identity infrastructure” “Identity normalization” Auth IPrincipal IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF – SPSTS WIF Access control Authentication methods Services Application Framework App logic SharePoint Services Application SharePoint Web Application Search Services Application Content Database Content Database Client
“Non-claims-aware Services”WIF – Claims to Windows Token Service • In reality, not all the services you interact with are going to be “claims-aware” • SharePoint has diversified categories of services, SQL etc., • How would you interact with a Service that requires Windows identity? • Solution is “Claims to Windows Token Service” (C2WTS) • UPN claim converted to Windows Token
Linking non-claim-aware services using “Claims to Windows Token Service” demo
Three Themes - Recap “Externalizing Authentication” <Identity into SharePoint> “Support existing identity infrastructure” <Identity inside SharePoint> “Identity normalization” <Identity inside/out of SharePoint> Auth IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF – SPSTS Access control Authentication methods Services Application Framework App logic SharePoint Web Application Search Services Application Content Database Client
Migrating to claims-based model – where to start • It is not “ALL or Nothing” deal • Claims-enable in phases: authentication, authorization, services
Lessons Learned – contd. • Performance • Performance Milestone drove changes in WIF • Optimizations made to achieve the perf goal: • Number of claims • Number of service calls per page • Number of round trips to SP-STS per service request • Caching (ChannelFactory and tokens)
Lessons Learned – contd. • Edge cases & assumptions • Cookie size limitation • Existing code had many assumptions about identity, each had to be uncovered and mapped • Clients integration • Consider client types to be supported • SP 2010 had Browser, Active, Designer tool clients • Both passive and active end points implemented on SharePoint STS
Summary • SharePoint 2010 achieves NEW path to identity using WIF’s claims-based identity model • Key takeaways • Single model - claims-based identity model • Standards based & Interoperable • We have stepped up to the challenge • Not only SharePoint, your applications too can benefit from WIF’s claims-based identity model , Get onboard!
Other Identity Sessions @ PDC2009 • Identity sessions • PR11: Leveraging & Extending SharePoint Identity Features • SVC02: Windows Identity Foundation Overview • SVC10: Software + Services Identity Roadmap • SVC17: Enabling SSO to Windows Azure Applications • SVC19: REST Security Services in Windows Azure using the Access Control Service • SVC28: System.Identity Model Accessing Directory Services • Come visit us at the booth in the pavilion! • Try a hands on lab • Introduction to Windows Identity Foundation • Using WIF to Secure Windows Azure Applications
YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com
Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….