1 / 44

Security Design with Claims-Based Authentication

OSP431. Security Design with Claims-Based Authentication . Israel Vega, Nathan Miller. Session Objectives and Takeaways. Session Objective(s ): Quick review of claims b ased a uthentication with SharePoint and Azure Discuss common c laims based security scenarios Assumptions

thais
Download Presentation

Security Design with Claims-Based Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSP431 Security Design with Claims-Based Authentication Israel Vega, Nathan Miller

  2. Session Objectives and Takeaways • Session Objective(s): • Quick review of claims based authentication with SharePoint and Azure • Discuss common claims based security scenarios • Assumptions • You understand claims, SAML and authentication protocols • You have set up claims based authentication with SharePoint • You understand ADFS and General Identity Federation • Bonus – You have built a SharePoint CCP

  3. Agenda and Demos • Quick level-set of SharePoint claims and federation • Common Scenario • Demo: Authenticate AD Users via ADFS - ADFS/AD CCP • Migrate from classic to claims • Code: Migrate a web application from classic to claims • Fun with claims • Demo: Temporary File Sharing - TempShare CCP • Demo: Profile Claims - Profile Claims CCP

  4. Along the Way • General CCP and Planning Guidance • General Tips and Tricks

  5. Getting Claimed Securing with Claims & Getting Claimed Securing with Claims ClaimType = Value ClaimType = Value Federation Gateway SharePoint SP Security IN Incoming Claims OUT Mapped Claims In Out Transformation Augmentation Augmentation

  6. Must Answer Questions for Planning • How will users be authenticated? • How will users be authorized? • Who will manage user accounts and provisioning? • Is the ID enough for AuthZ or do I need more information? • Are multiple ID’s per user allowed? • Do I really need a CCP and if so, which features? • Do I really need a custom STS?

  7. Fundamental Principles of SharePoint and Claims • If you don’t have it at authentication time, you can’t use it for authorization • Know the difference between incoming claims vs. mapped claims • User identity is determined by authentication method (by default) • Public federation is not the same and private federation • SP claim security rules are evaluated as “OR” not “AND” Key Point: Federation relationships are based on trust

  8. What is a SharePoint Trusted Identity Token Issuer? $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://.../upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://.../nameidentifier" -IncomingClaimTypeDisplayName“NameId" –MappedClaimType “http://.../username” … $spTIp = New-SPTrustedIdentityTokenIssuer -Name “NAME" -Description “DESC" -Realm “REALM” -ClaimsMappings $map1 …" Trusted Identity Token Issuer Claims Provider Claims Mappings Login

  9. What Do I Get With a Custom Claim Provider (CCP)? Trusted Identity Token Issuer Claims Provider Claims Search Claims Mappings Claims Resolve Login Claims Augmentation

  10. How Does it Fit Together? Trusted Identity Token Issuer Claim Providers People Picker Custom CCP OOTB Active Directory Incoming Mapped Claims SharePoint (*) SP Identity Encoded Claims Encoded Claim

  11. Associating a CCP to a Zone • $webAppUrl = "" • $webAppZone= "" • $claimProviderName = "" • write-host "Getting the web application urls to configure" • $altUrls = Get-SPAlternateURL • write-host "Getting the claim provider" • $claimProvider = Get-SPClaimProvider -Identity $claimProviderName • foreach($altUrl in $altUrls) • { • if ($altUrl.Zone -eq $webAppZone) • { • $wa = Get-SPWebApplication $altUrl.PublicUrl • write-host "Registering claim provider [$claimProviderName] for ["$webAppUrl"] on the zone ["$webAppZone"]" • $waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone) • $waIISSettings.ClaimsProviders.Add($claimProvider) • $wa.Update() • } • } Stored as a collection with the other SP Web App Settings for the Zone

  12. A Bit About Claims Encoding • Farm Specific • Custom claim type encoding starts at Unicode 500 • Immutable List - once mapped, cannot un-map • Values are evaluated in lower case Claim Encodings ASCII Decimal Code 504 Reserved Claim Type Reserved Claim Type ASCII Decimal Code 507

  13. Reserved Claim Types and Identifiers

  14. The Scenario - ADFS AD Claim Provider • Use Active Directory to maintain user accounts but use ADFS to authenticate • Need to search and resolve users just like native SharePoint • Must work across forests • Need to integrate with external partners using public and private federation • Need to block access to external users for certain data Trusted Provider  CCP Search  CCP Resolve  CCP Augmentation

  15. Recipe – ADFS AD Claim Provider • 1 Custom Claim Provider • 1 Secure Store • 2 Active Directories • 2 SharePoint Sites • 1 ADFS Internal AD Secure Store People Picker SharePoint Secret Data ADFS Trusted Provider Claim Provider Super Secret Data External AD

  16. Demo ADFS/AD Claim Provider Nephophobia (cloud fear, cloud phobia, fear of clouds, phobia of clouds)

  17. The Scenario – Claims Migration • Existing SP 2007 or 2010 site is classic or FBA • Moving to SAML with a custom CCP Today’s talk Today’s talk Today’s talk  = Requires IMigrateUserCallBack

  18. Code Snippets Claims Migration Scenarios The penguin is the only bird who can swim, but cannot fly

  19. Migrating from Classic to Windows Claims • $webAppUrl= "http://yourWebAppUrl" • $adminAccount= “DOMAIN\ADMIN" • #Get the Web application • $webApp= get-SPWebApplication$webAppUrl • Set-SPwebApplication$wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default • #Re-Get the Web application • $webApp = get-SPWebApplication$webAppUrl • $adminClaim = New-SPClaimsPrincipal -identity $account -identitytype 1 • $adminClaimString= $adminClaim.ToEncodedString() • #Add the admin account to the web application policy • $zp = $webApp.ZonePolicies("Default") • $p = $zp.Add($adminClaimString,“Admin Policy") • $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") • $p.PolicyRoleBindings.Add($fc) • $wa.Update() • #Re-Get the Web application • $webApp= get-SPWebApplication$webAppUrl • #Migrate the web application • $wa.MigrateUsers($true) Create an admin claim for myself Let me in after the migration Do the migration

  20. Recipe –Custom Claims Migration • 1 Custom Claim Provider(If SAML) • 1 Custom Class: IMigrateUserCallBack • 2 SharePoint Web Apps • 1 Classic Content DB • Time and Patience 2) Mount to “DUMMY” Web App 5) Mount to “REAL” Web App Classic Web App Temporary Web App Permanent Web App 4) Copy Migrated DB 3) Migrate with IMigrateUserCallback 1) Copy DB Classic Content DB Classic Content DB Migrated Content DB

  21. Migrating from Classic to SAML Claims Do the migration but pass the assembly reference • …See other slide - OMMITTED • #Migrate the web application • #Pass the Fully qualified Assembly reference • $wa.MigrateUsers(IMigrateUsersCallBackAssembly)

  22. Migrating User Accounts Using IMigrateUserCallBack • Using … • usingMicrosoft.SharePoint.Administration.Claims; • publicclassSAMLMigrationCallback : IMigrateUserCallback • { • publicstringConvertFromOldUser(stringpreviousUserAccount, SPWebApplication.AuthenticationMethodpreviousAuthType, boolisGroup) • { • stringnewUserId = previousUserAccount; • SPClaimmigratedUserClaim = null; • switch (previousAuthType) • { • caseSPWebApplication.AuthenticationMethod.Windows: • { • migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup); • break; • } • caseSPWebApplication.AuthenticationMethod.Claims: • { • migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup); • break; • } • caseSPWebApplication.AuthenticationMethod.Forms: • { • //code for converting from Forms would be here • break; • } • } • if(migratedUserClaim != null) • { • newUserId= migratedUserClaim.ToEncodedString(); • } • returnnewUserId ; • } • } Called for each User Account being migrated Helper Functions SPClaimevalClassicToClaimsAccount(stringpreviousUserAccount, boolisGroup) { SPClaimmigratedClaim = null; returnmigratedClaim; } SPClaimevalWindowsClaimToClaimsAccount(stringpreviousUserAccount, boolisGroup) { SPClaimmigratedClaim = null; //migrating from Windows claims to SAML claims returnmigratedClaim; }

  23. Migrating From Classic to SAML Claims • SPClaimevalClassicToClaimsAccount(stringpreviousUserAccount, boolisGroup) • { • SPClaimmigratedClaim = null; • SecurityIdentifiercurSid = newSecurityIdentifier(previousUserAccount); • //Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330 • if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) || • curSid.IsWellKnown(WellKnownSidType.LocalSystemSid)) • { • returnmigratedClaim; • } • else • { • if (isGroup) • { • stringoldNtId = translateSidToName(previousUserAccount); • if (oldNtId != null) • { • //Migrate Groups • migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount); • } • } • else • { • migratedClaim = generateUserIdClaimFromNtId(oldNtId); • } • } • returnmigratedClaim; • } DO NOT MIGRATE NT AUTHORITY\Authenticated Users or LOCAL SYSTEM Group SIDS vs Names ??

  24. Migrating From Windows Claims to SAML • SPClaimevalWindowsClaimToClaimsAccount(stringpreviousUserAccount, boolisGroup) • { • SPClaimmigratedClaim = null; • //Migrating from Windows claims to SAML claims - create a claim from the identifier so we can see if the original issuer came from Windows • SPClaimidClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim); • //this is a Windows claims user, and we are going to convert to a SAML claims user ID format • if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer)) • { • //windows claims users will be in the format domain\user windows claims groups will be in the SID format • if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName)) • { • migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim); • } • elseif (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid)) • { • //Group SID or Group Name??? • migratedClaim= generateSAMLGroupClaim(idClaim.Value, SourceAccountType.WindowsClaim); • } • } • returnmigratedClaim; • } Helper Functions SPClaimgenerateSAMLClaimFromNtId(stringwinClaimId) { SPClaimmigratedClaim = null; //Create the proper SAML ID Claim for the old windows claim user returnmigratedClaim; } SPClaimgenerateSAMLGroupClaim(stringgroupClaim, boolisGroup) { SPClaimmigratedClaim = null; //Create the proper SAML ID Group claim for the old windows claim group returnmigratedClaim; }

  25. Migration Notes • Imigrate user • Some accounts should not migrated • Local system • Some accounts should be migrated to anonymous • Must reconfigure the super user and search post migration • Logon as PortalSuperUser and PortalSuperReader at least once

  26. Configuring the Publishing Cache Accounts • For Windows and SAML Claims, this must be configured for publishing sites • Set portalsuperuseraccountand portalsuperreaderaccount web application properties • Also configure the web app policy

  27. Setting the Portal Super * Accounts Encoded Windows Claim (User Logon Name) • $PortalSuperReader = “domain\portalsuperreader" • $PortalSuperUser = “domain\portalsuperuser“ • $wa = Get-SPWebApplication –Identity “<<web app URL>>“ • $PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityTypeWindowsSamAccountName • $PortalSuperUserClaim.ToEncodedString() • $wa.Properties["portalsuperuseraccount"] = $PortalSuperUserClaim.ToEncodedString() • $PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityTypeWindowsSamAccountName • $PortalSuperReaderClaim.ToEncodedString() • $wa.Properties["portalsuperreaderaccount"] = $PortalSuperReaderClaim.ToEncodedString() • #Set the web application policies • $SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), "PortalSuperReader") • $SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullRead")) • $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), "PortalSuperUser") • $SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullControl")) • #Update the web app • $wa.Update() • #IISReset • iisreset Web Application Policy

  28. Fun with Claims The value of Claims Based AuthN and AuthZ Reindeers like to eat bananas

  29. The Scenario – Profile Claims • Wanted to make the user experience to add mapped claims easy • Re-Use attributes about a user for securing content in SharePoint • Did not want to make adding a new claim a code deployment  Trusted Provider  CCP Search  CCP Resolve  CCP Augmentation

  30. 1 Custom Claim Provider 1 Profile Service Recipe – Profile Claims • 1 Profile Database • 1 SharePoint Site

  31. Profile Claim Provider It is possible to lead a cow upstairs but not upstairs

  32. The Scenario – Temporary Sharing of Files with Federated Users • Share documents with external users regardless of authentication • User May not have a user account in SharePoint • Needed to provide secure access for a defined time period • Self-Managing of user access  Trusted Provider  CCP Search  CCP Resolve  CCP Augmentation

  33. Architecture Expired Facebook Sharing Token Claim Google PayPal

  34. Recipe - Temporary Sharing of Files with Public Federation • 1 Custom Claim Provider • 1 Custom Claim Generator • 1 Custom Database • 2 SharePoint Sites • 2 Custom Web Parts • 1 Custom Ribbon Extension Best With: • External ad-hoc collaboration with Partners or contractors • Public Federation with Trusted Users

  35. Demo TempShare Claim Provider The sentence "The quick brown fox jumps over a lazy dog." uses every letter of the alphabet!

  36. Building Custom Claim Providers - Hints • Good for providing search and resolve of identity information • Heads up • All claim providers fire several times • Claims are immutable (cannot change once issued) • Incoming claims are not available at authentication time OOTB * * http://blogs.technet.com/b/speschka/archive/2011/03/29/how-to-get-all-user-claims-at-claims-augmentation-time-in-sharepoint-2010.aspx

  37. Building Custom Claim Providers – More Hints • Claims Providers • Encoding, casing • “Welcome email” support • Identity resolution • Responsible / not responsible • Debugging • Deployment • App Roles vs. Web Application vs. Central Admin • Create 2 separate WSP’s, Enable AutoActivateInCentralAdmin

  38. In Review: Session Objectives and Takeaways • SharePoint, claims and federation (Recap) • Fun with Claims • Demo – ADFS/AD Claims Provider • Code – Migration from classic to SAML • Demo – Profile Claims Provider • Demo – TempShare Claims Provider • General Tips and Tricks for Claims

  39. Related Content • SIA204 | Cloudy Weather: How Secure Is the Cloud? • SIA208 | Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAG • SIA318 | Managing and Extending Active Directory Federation Services • SIA403 | Troubleshooting Federation, ADFS, and More AZR78-HOL | Introduction to Access Control Service SIA01-TLC | Microsoft Identity and Access • Find us later at: • SharePoint TLC Booth • Ask the Experts

  40. Links • http://blogs.msdn.com/entdev - Demo code http://blogs.technet.com/b/speschka/ - SharePoint CBA Resources

  41. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  42. Evaluations Submit your evals online http://europe.msteched.com/sessions

  43. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related