Thomas Vochten

Claims based authentication for mere mortals

#SPSBE

#SPSBE26

About me

Thomas Vochten

@thomasvochtenthomasvochten.comlinkedin.com/in/thomasvochten

consultantplatform architectlousy developeraccidental dbaSharePoint

SQL Server

A big thanks to our sponsors

Venue Sponsor

Platinum Sponsors

Gold Premium Sponsors

Gold Sponsors

Agenda

• Claims Based Identity

• Claims within SharePoint 2010

• Claim Providers

• Windows Claims

• Trusted Provider claims

• Federation & Single Sign On

• Claims in the Real World

Claims based identity

Who do you trust?

Claims based identity

• Not a new concept

• Claims provide abstraction

• Authentication (AuthN) versus Authorization (AuthZ)

• AuthZ decision are based on claims

Setting the scene

• Claim

• Security Token

• Identity Provider (IdP)

• Relying Party (RP)

• Security Token Service (STS)

• Realm

Claim

Claim

Claim

Claim

Signature

Name

Age

Location

Token

AuthZ

AuthN

Claims within SharePoint 2010

3 types of claim providers

• Windows

• Trusted Provider

• Forms Based Authn

Multiple Authn providers possible in the same zone

Be sure to be at Service Pack 1 with June 2011 CU minimum

Regular label-callout text

Multi-AuthenticationMixed Authentication

SharePointFarm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows Authentication

FBAAuthentication

...

...

...

SharePointFarm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows AuthenticationFBA Authentication

SAML Based AuthenticationFBA Authentication

Windows Authentication

...

...

Multiple Authentication Providers

Multiple Authentication Providers

Identity Normalization

NT TokenWindows Identity

ASP.Net (FBA)LDAP, Custom …

SAML TokenLiveID, ADFS, Others Anonymous User

SAML TokenClaims Based Identity

SPUser

Identity Claim Format

i:0#.t|federation|thomasvochteni:0#.w|lab\thomasvochten

Claims Providers

• Augmentation of claims

• Resolution of claims

Windows Claims

• NTLM or Kerberos

• Automatic sign in

• Used by SharePoint internally

• Claims to Windows Token Service for outbound claims (c2wts)

Claims Provider Functions

• Augmentation with Windows security groups

• People picker does lookups in Active Directory

Migrating to Windows Claims

• Planning is crucial

• Classic to claims only

• No way back

• 2 step process:

Changing the web application to use claimsMigrating the user identities

Demo

Exploring Windows Claims

Trusted Provider claims

• SharePoint as relying party

• Needs an external identity provider such as ADFS

• Based on open standards (SAML, WS-*)

• Logging in: just a bunch of redirects

• Migration not out of the box (custom code needed)

Setup

• Setup identity provider

• Setup trust via PowerShell

Claims Provider functions

• Nothing out of the box (custom code needed)

Active Directory

LiveID

ASP.net Membership Trust

SharePointSTS

Client

SharePoint

Service token request5

Identity ProviderSecurity Token Service

(IP-STS)

SAML Based

SharePointAuthorization

ClaimsProviders

Trust

Request Resource with service token

7

Security token response6

Demo

Exploring Trusted Provider Claims

Federation & Single Sign On

• Chain of trusted/trusting identity providers

• Multiple use cases

extranet accessmergers & acquisitionscross-forest authentication

• Single Sign On possibilities

• Integration with other systems like FIM, UAG or ACS

Claims in the real world

• When would you use claims based AuthN?

• Integration with other applications like Office

• Some stuff will break or doesn’t support claims!

• Choose your unique ID wisely

• You will probably need a custom claims provider

• Home realm discovery

• Learn to give up control

• Test test test

Some last considerations…

• Use SSL

• Kerberos is not dead

• Choose your unique ID wisely

• Software prerequisites

• Token cache settings

• No 2 factor AuthN out of the box

• Custom claims provider on app server

• FAST document preview

• Debatable workaround for c2wts

• SQL, PowerPivot, PerfPoint, UPA,...

• SAML claims has the most functional issues

• Next wave of MS products

RESOURCES• A guide to claims based identity and access control (2nd edition), MSDN

• Implementing Claims-Based Authentication with SharePoint Server 2010, TechNet

• Steve Peschka’s blog

Links & more resources available on my blog at http://thomasvochten.com

We need your feedback!

Scan this QR code or visit http://svy.mk/sps2012be

Our sponsors: