1 / 30

SharePointintersection Session SP28 App Identity

SharePointintersection Session SP28 App Identity. Paul Schaeflein paul@schaeflein.net. About Me. Solutions Architect Trainer Hockey fan http://www.schaeflein.net/blog. Agenda. Alternate Security Context Identities in SharePoint page requests Elevation Impersonation

tawana
Download Presentation

SharePointintersection Session SP28 App Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SharePointintersectionSession SP28App Identity Paul Schaeflein paul@schaeflein.net

  2. About Me • Solutions Architect • Trainer • Hockey fan • http://www.schaeflein.net/blog

  3. Agenda • Alternate Security Context • Identities in SharePoint page requests • Elevation • Impersonation • SP2013 App-model AuthN

  4. An alternate security context • Perform operation on an object to which the current user does not have necessary permissions • Update a shared resource • Defer operation until later time

  5. Elevation versus Impersonation Elevation of Privilege Impersonation Perform actions on behalf of another user • Programmatically perform actions in code using an increased level of privilege

  6. Identities

  7. Identities • Process Identity (w3wp.exe) • Set on Application Pool

  8. Identities • Thread Identity • Configured in web.config<identityimpersonate="true"/>

  9. Identities • HttpContext Identity • Configured in web.config <authenticationmode="Forms"/> • SPClaimsAuthMemberhipProvider

  10. Identities • SharePoint identity • SPWeb.SPUser

  11. Identities

  12. Identity Web Part

  13. Elevation of Privilege • How to elevate • Effects of elevation • When to elevate

  14. Create a new context using (SPSitesite =new SPSite(url)){ using (SPWebweb = site.OpenWeb()){ // perform privileged operation } }

  15. Do Not Mix Contexts • Referring to objects created prior to elevating is a worst practice!

  16. Elevation Best Practices • Use elevated privileges to access non-SharePoint resources • AppPool identity must have necessary permissions • Ensure a new context is established

  17. Impersonation • How to impersonate • Effects of impersonation • When to elevate

  18. Impersonate a specific user • Retrieve and store user token • The user token is a byte array SPUser user = SPContext.Current.Web.CurrentUser; SPUserToken toke n = user.UserToken; // store token

  19. Impersonate a specific user • Load and use user token SPUserToken token = RetrieveToken();// a custom method string url = "http://localhost";// use your url using (SPSite site = new SPSite(url, token)) { // access the SPSite and its objects under // the identity represented by the token }

  20. Impersonate the system account • Retrieve and use token SPUserToken token = SPContext.Current.Site.SystemAccount.UserToken;using (SPSite site = new SPSite(url, token)) { // access the SPSite and its objects under // the identity represented by the token }

  21. Impersonation Best Practices • If the code is expected to honor the permissions of the requesting user, the user’s token must be used to perform the impersonation. • Retrieve and store token • Tokens valid for 24 hours • Can be changed via STSADM

  22. Impersonation Best Practices • For code that updates SharePoint on behalf of a user without permissions, use the System Account token to perform the impersonation • If the current user cannot access the system account token, use the RWEP method to retrieve the token.

  23. Identity App

  24. SharePoint 2013 App AuthN Call is to an app web? User only context Start User credentials provided? No Yes Yes No Yes Yes App token provided? App t oken Includes user? User + App context App only context No No App only context Anonymous context End

  25. App Only Token protectedvoidPage_Load(object sender, EventArgs e) { UrihostWebUri= newUri(Request.QueryString["SPHostUrl"]); stringaccessToken= GetAccessToken(hostWebUri); } privatestringGetAccessToken(UrihostWebUri) { stringtoken = TokenHelper.GetS2SAccessTokenWithWindowsIdentity( hostWebUri, null); returntoken; }

  26. App Identity Online & On-Prem In the cloud Windows Azure AD comes with O365 Apps use ‘3-legged’ Oauth Azure AD App Office 365 Cloud

  27. App Identity Online & On-Prem In the cloud Windows Azure AD comes with O365 Apps use ‘3-legged’ Oauth On-Premises Cert-based trust On-prem to on-prem Azure AD App Office 365 Cloud App SharePoint On-Prem

  28. App Identity Online & On-Prem In the cloud Windows Azure AD comes with O365 Apps use ‘3-legged’ Oauth On-Premises Cert-based trust On-prem to on-prem Hybrid Use O365 Azure AD with on-premSP Supports Marketplace and on-prem apps Azure AD App Office 365 Cloud App SharePoint On-Prem

  29. Don’t forget to enter your evaluation of this session using EventBoard! Thank you! Questions?

More Related