440 likes | 779 Views
OSP431. Security Design with Claims-Based Authentication . Israel Vega, Nathan Miller. Session Objectives and Takeaways. Session Objective(s ): Quick review of claims b ased a uthentication with SharePoint and Azure Discuss common c laims based security scenarios Assumptions
E N D
OSP431 Security Design with Claims-Based Authentication Israel Vega, Nathan Miller
Session Objectives and Takeaways • Session Objective(s): • Quick review of claims based authentication with SharePoint and Azure • Discuss common claims based security scenarios • Assumptions • You understand claims, SAML and authentication protocols • You have set up claims based authentication with SharePoint • You understand ADFS and General Identity Federation • Bonus – You have built a SharePoint CCP
Agenda and Demos • Quick level-set of SharePoint claims and federation • Common Scenario • Demo: Authenticate AD Users via ADFS - ADFS/AD CCP • Migrate from classic to claims • Code: Migrate a web application from classic to claims • Fun with claims • Demo: Temporary File Sharing - TempShare CCP • Demo: Profile Claims - Profile Claims CCP
Along the Way • General CCP and Planning Guidance • General Tips and Tricks
Getting Claimed Securing with Claims & Getting Claimed Securing with Claims ClaimType = Value ClaimType = Value Federation Gateway SharePoint SP Security IN Incoming Claims OUT Mapped Claims In Out Transformation Augmentation Augmentation
Must Answer Questions for Planning • How will users be authenticated? • How will users be authorized? • Who will manage user accounts and provisioning? • Is the ID enough for AuthZ or do I need more information? • Are multiple ID’s per user allowed? • Do I really need a CCP and if so, which features? • Do I really need a custom STS?
Fundamental Principles of SharePoint and Claims • If you don’t have it at authentication time, you can’t use it for authorization • Know the difference between incoming claims vs. mapped claims • User identity is determined by authentication method (by default) • Public federation is not the same and private federation • SP claim security rules are evaluated as “OR” not “AND” Key Point: Federation relationships are based on trust
What is a SharePoint Trusted Identity Token Issuer? $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://.../upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://.../nameidentifier" -IncomingClaimTypeDisplayName“NameId" –MappedClaimType “http://.../username” … $spTIp = New-SPTrustedIdentityTokenIssuer -Name “NAME" -Description “DESC" -Realm “REALM” -ClaimsMappings $map1 …" Trusted Identity Token Issuer Claims Provider Claims Mappings Login
What Do I Get With a Custom Claim Provider (CCP)? Trusted Identity Token Issuer Claims Provider Claims Search Claims Mappings Claims Resolve Login Claims Augmentation
How Does it Fit Together? Trusted Identity Token Issuer Claim Providers People Picker Custom CCP OOTB Active Directory Incoming Mapped Claims SharePoint (*) SP Identity Encoded Claims Encoded Claim
Associating a CCP to a Zone • $webAppUrl = "" • $webAppZone= "" • $claimProviderName = "" • write-host "Getting the web application urls to configure" • $altUrls = Get-SPAlternateURL • write-host "Getting the claim provider" • $claimProvider = Get-SPClaimProvider -Identity $claimProviderName • foreach($altUrl in $altUrls) • { • if ($altUrl.Zone -eq $webAppZone) • { • $wa = Get-SPWebApplication $altUrl.PublicUrl • write-host "Registering claim provider [$claimProviderName] for ["$webAppUrl"] on the zone ["$webAppZone"]" • $waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone) • $waIISSettings.ClaimsProviders.Add($claimProvider) • $wa.Update() • } • } Stored as a collection with the other SP Web App Settings for the Zone
A Bit About Claims Encoding • Farm Specific • Custom claim type encoding starts at Unicode 500 • Immutable List - once mapped, cannot un-map • Values are evaluated in lower case Claim Encodings ASCII Decimal Code 504 Reserved Claim Type Reserved Claim Type ASCII Decimal Code 507
The Scenario - ADFS AD Claim Provider • Use Active Directory to maintain user accounts but use ADFS to authenticate • Need to search and resolve users just like native SharePoint • Must work across forests • Need to integrate with external partners using public and private federation • Need to block access to external users for certain data Trusted Provider CCP Search CCP Resolve CCP Augmentation
Recipe – ADFS AD Claim Provider • 1 Custom Claim Provider • 1 Secure Store • 2 Active Directories • 2 SharePoint Sites • 1 ADFS Internal AD Secure Store People Picker SharePoint Secret Data ADFS Trusted Provider Claim Provider Super Secret Data External AD
Demo ADFS/AD Claim Provider Nephophobia (cloud fear, cloud phobia, fear of clouds, phobia of clouds)
The Scenario – Claims Migration • Existing SP 2007 or 2010 site is classic or FBA • Moving to SAML with a custom CCP Today’s talk Today’s talk Today’s talk = Requires IMigrateUserCallBack
Code Snippets Claims Migration Scenarios The penguin is the only bird who can swim, but cannot fly
Migrating from Classic to Windows Claims • $webAppUrl= "http://yourWebAppUrl" • $adminAccount= “DOMAIN\ADMIN" • #Get the Web application • $webApp= get-SPWebApplication$webAppUrl • Set-SPwebApplication$wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default • #Re-Get the Web application • $webApp = get-SPWebApplication$webAppUrl • $adminClaim = New-SPClaimsPrincipal -identity $account -identitytype 1 • $adminClaimString= $adminClaim.ToEncodedString() • #Add the admin account to the web application policy • $zp = $webApp.ZonePolicies("Default") • $p = $zp.Add($adminClaimString,“Admin Policy") • $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") • $p.PolicyRoleBindings.Add($fc) • $wa.Update() • #Re-Get the Web application • $webApp= get-SPWebApplication$webAppUrl • #Migrate the web application • $wa.MigrateUsers($true) Create an admin claim for myself Let me in after the migration Do the migration
Recipe –Custom Claims Migration • 1 Custom Claim Provider(If SAML) • 1 Custom Class: IMigrateUserCallBack • 2 SharePoint Web Apps • 1 Classic Content DB • Time and Patience 2) Mount to “DUMMY” Web App 5) Mount to “REAL” Web App Classic Web App Temporary Web App Permanent Web App 4) Copy Migrated DB 3) Migrate with IMigrateUserCallback 1) Copy DB Classic Content DB Classic Content DB Migrated Content DB
Migrating from Classic to SAML Claims Do the migration but pass the assembly reference • …See other slide - OMMITTED • #Migrate the web application • #Pass the Fully qualified Assembly reference • $wa.MigrateUsers(IMigrateUsersCallBackAssembly)
Migrating User Accounts Using IMigrateUserCallBack • Using … • usingMicrosoft.SharePoint.Administration.Claims; • publicclassSAMLMigrationCallback : IMigrateUserCallback • { • publicstringConvertFromOldUser(stringpreviousUserAccount, SPWebApplication.AuthenticationMethodpreviousAuthType, boolisGroup) • { • stringnewUserId = previousUserAccount; • SPClaimmigratedUserClaim = null; • switch (previousAuthType) • { • caseSPWebApplication.AuthenticationMethod.Windows: • { • migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup); • break; • } • caseSPWebApplication.AuthenticationMethod.Claims: • { • migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup); • break; • } • caseSPWebApplication.AuthenticationMethod.Forms: • { • //code for converting from Forms would be here • break; • } • } • if(migratedUserClaim != null) • { • newUserId= migratedUserClaim.ToEncodedString(); • } • returnnewUserId ; • } • } Called for each User Account being migrated Helper Functions SPClaimevalClassicToClaimsAccount(stringpreviousUserAccount, boolisGroup) { SPClaimmigratedClaim = null; returnmigratedClaim; } SPClaimevalWindowsClaimToClaimsAccount(stringpreviousUserAccount, boolisGroup) { SPClaimmigratedClaim = null; //migrating from Windows claims to SAML claims returnmigratedClaim; }
Migrating From Classic to SAML Claims • SPClaimevalClassicToClaimsAccount(stringpreviousUserAccount, boolisGroup) • { • SPClaimmigratedClaim = null; • SecurityIdentifiercurSid = newSecurityIdentifier(previousUserAccount); • //Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330 • if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) || • curSid.IsWellKnown(WellKnownSidType.LocalSystemSid)) • { • returnmigratedClaim; • } • else • { • if (isGroup) • { • stringoldNtId = translateSidToName(previousUserAccount); • if (oldNtId != null) • { • //Migrate Groups • migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount); • } • } • else • { • migratedClaim = generateUserIdClaimFromNtId(oldNtId); • } • } • returnmigratedClaim; • } DO NOT MIGRATE NT AUTHORITY\Authenticated Users or LOCAL SYSTEM Group SIDS vs Names ??
Migrating From Windows Claims to SAML • SPClaimevalWindowsClaimToClaimsAccount(stringpreviousUserAccount, boolisGroup) • { • SPClaimmigratedClaim = null; • //Migrating from Windows claims to SAML claims - create a claim from the identifier so we can see if the original issuer came from Windows • SPClaimidClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim); • //this is a Windows claims user, and we are going to convert to a SAML claims user ID format • if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer)) • { • //windows claims users will be in the format domain\user windows claims groups will be in the SID format • if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName)) • { • migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim); • } • elseif (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid)) • { • //Group SID or Group Name??? • migratedClaim= generateSAMLGroupClaim(idClaim.Value, SourceAccountType.WindowsClaim); • } • } • returnmigratedClaim; • } Helper Functions SPClaimgenerateSAMLClaimFromNtId(stringwinClaimId) { SPClaimmigratedClaim = null; //Create the proper SAML ID Claim for the old windows claim user returnmigratedClaim; } SPClaimgenerateSAMLGroupClaim(stringgroupClaim, boolisGroup) { SPClaimmigratedClaim = null; //Create the proper SAML ID Group claim for the old windows claim group returnmigratedClaim; }
Migration Notes • Imigrate user • Some accounts should not migrated • Local system • Some accounts should be migrated to anonymous • Must reconfigure the super user and search post migration • Logon as PortalSuperUser and PortalSuperReader at least once
Configuring the Publishing Cache Accounts • For Windows and SAML Claims, this must be configured for publishing sites • Set portalsuperuseraccountand portalsuperreaderaccount web application properties • Also configure the web app policy
Setting the Portal Super * Accounts Encoded Windows Claim (User Logon Name) • $PortalSuperReader = “domain\portalsuperreader" • $PortalSuperUser = “domain\portalsuperuser“ • $wa = Get-SPWebApplication –Identity “<<web app URL>>“ • $PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityTypeWindowsSamAccountName • $PortalSuperUserClaim.ToEncodedString() • $wa.Properties["portalsuperuseraccount"] = $PortalSuperUserClaim.ToEncodedString() • $PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityTypeWindowsSamAccountName • $PortalSuperReaderClaim.ToEncodedString() • $wa.Properties["portalsuperreaderaccount"] = $PortalSuperReaderClaim.ToEncodedString() • #Set the web application policies • $SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), "PortalSuperReader") • $SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullRead")) • $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), "PortalSuperUser") • $SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullControl")) • #Update the web app • $wa.Update() • #IISReset • iisreset Web Application Policy
Fun with Claims The value of Claims Based AuthN and AuthZ Reindeers like to eat bananas
The Scenario – Profile Claims • Wanted to make the user experience to add mapped claims easy • Re-Use attributes about a user for securing content in SharePoint • Did not want to make adding a new claim a code deployment Trusted Provider CCP Search CCP Resolve CCP Augmentation
1 Custom Claim Provider 1 Profile Service Recipe – Profile Claims • 1 Profile Database • 1 SharePoint Site
Profile Claim Provider It is possible to lead a cow upstairs but not upstairs
The Scenario – Temporary Sharing of Files with Federated Users • Share documents with external users regardless of authentication • User May not have a user account in SharePoint • Needed to provide secure access for a defined time period • Self-Managing of user access Trusted Provider CCP Search CCP Resolve CCP Augmentation
Architecture Expired Facebook Sharing Token Claim Google PayPal
Recipe - Temporary Sharing of Files with Public Federation • 1 Custom Claim Provider • 1 Custom Claim Generator • 1 Custom Database • 2 SharePoint Sites • 2 Custom Web Parts • 1 Custom Ribbon Extension Best With: • External ad-hoc collaboration with Partners or contractors • Public Federation with Trusted Users
Demo TempShare Claim Provider The sentence "The quick brown fox jumps over a lazy dog." uses every letter of the alphabet!
Building Custom Claim Providers - Hints • Good for providing search and resolve of identity information • Heads up • All claim providers fire several times • Claims are immutable (cannot change once issued) • Incoming claims are not available at authentication time OOTB * * http://blogs.technet.com/b/speschka/archive/2011/03/29/how-to-get-all-user-claims-at-claims-augmentation-time-in-sharepoint-2010.aspx
Building Custom Claim Providers – More Hints • Claims Providers • Encoding, casing • “Welcome email” support • Identity resolution • Responsible / not responsible • Debugging • Deployment • App Roles vs. Web Application vs. Central Admin • Create 2 separate WSP’s, Enable AutoActivateInCentralAdmin
In Review: Session Objectives and Takeaways • SharePoint, claims and federation (Recap) • Fun with Claims • Demo – ADFS/AD Claims Provider • Code – Migration from classic to SAML • Demo – Profile Claims Provider • Demo – TempShare Claims Provider • General Tips and Tricks for Claims
Related Content • SIA204 | Cloudy Weather: How Secure Is the Cloud? • SIA208 | Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAG • SIA318 | Managing and Extending Active Directory Federation Services • SIA403 | Troubleshooting Federation, ADFS, and More AZR78-HOL | Introduction to Access Control Service SIA01-TLC | Microsoft Identity and Access • Find us later at: • SharePoint TLC Booth • Ask the Experts
Links • http://blogs.msdn.com/entdev - Demo code http://blogs.technet.com/b/speschka/ - SharePoint CBA Resources
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn
Evaluations Submit your evals online http://europe.msteched.com/sessions
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.