TF-EMC2 | Lyon - France | February 2011

SAML 2.0 @ WORK WITH SHAREPOINT, OWA, …

Jean Marie THIA

Agenda

• 1 - Demonstrations• 2 - Explanations• 3 - Story• Questions

1 : Authentication

• Connect to a web application • Connect to Sharepoint • Connect to Outlook Web Access

1 : SharePoint authZ

• A MS Word use case– From the desktop– From SharePoint

• Set authorization in SharePoint

Explanations

SharePointSTS

2 : SharePoint

ADFS

2.0

WS Fed.

SAML 2.0

2 : Outlook Web Access

ADFS

2.0

Kerberos

SAML 2.0

Mapping

C2WTS

2 : ADFS manipulation

• Map shibboleth attribute• Map OWA user

Story

Claim based access controlmicrosoft.identityModel

3 : WIF

• Core claims API (microsoft.identityModel)• SAML Token• WS Federation protocol

• SAML 2.0 protocol with Safewherehttp://safewhere.net/products/saml-20-for-wif.aspx

3 : WIF compatibility

• IsInRole works ( web.config declaration )

3 : WIF programmingIClaimsIdentity id =((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];

// you can use a simple foreach loop to find a claim...string usersEmail = null;foreach (Claim c in id.Claims) { if (c.ClaimType == System.IdentityModel.Claims.ClaimTypes.Email) { UsersEmail = c.Value; break; }}

// you can also use LINQ to find a claimstring usersFirstName = (from c in id.Claims where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.GivenName select c).First().Value;

3 : ADFS 2.0

• Uses SAML 2.0 Protocol– Liberty alliance IdP Lite– Liberty alliance SP Lite– eGov SAML 2.0 Profile v1.5

• Uses WS-* Protocol• Interoperate with Oracle, CA, SUN, Shibboleth,

PingIdentity, …• Is a separate download !

3 : ADFS 2.0 architecture

Active Directory Federation Services (AD FS) 2.0

Management APIs and UX

WMI ProviderProtocol Hosting

(WS-*, SAML 2.0)

Identity Store Interface Policy Store Interface

Windows Identity Foundation (WIF) API

Metadata/Policy Management

Service

Information Card IssuanceService

Token/Claim Issuance Service

Configuration Database

Account & Attribute Stores

3 : Terminologies

AD FS 2.0 SAML 2.0Security Token AssertionClaims Assertion AttributesClaims Provider Identity ProviderRelying Party Service ProviderRealm Home Discovery (RHD)Security Token Service (STS)

3 : Azure ACS

• ADFS for the cloud• Extended interoperability (Oauth, openID,

google, facebook, etc.)

Conclusion

• +– Many guides.– AuthZ with claims augmentation.– Claims compatibility with old code.

• -– Federation metadata

ADFS v2 - Guides

• Sharepoint 2010Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx

• Outlook Web Access 2010Exposing OWA 2010 with AD FS 2.0 to other organizationshttp://www.microsoft.com/france/interop/ressources/documents.aspx

• In CommonAD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federationhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx

Webcast

• Architecting claims-aware applicationhttp://www.msteched.com/2010/Europe/ARC303

• From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 http://www.msteched.com/2010/NorthAmerica/OSP311

• Developing Microsoft SharePoint Server 2010 Solutions with Claims Authenticationhttp://www.msteched.com/2010/NorthAmerica/OSP306

• http://channel9.msdn.com/

Links at Microsoft

• Patterns & Practices A guide to claims-based to Identity and Access Control http://msdn.microsoft.com/en-us/library/ff423674.aspx

• MSDNWIF : http://msdn.microsoft.com/en-us/library/ee748484.aspxC2WTS : http://msdn.microsoft.com/en-us/library/ee517278.aspxIdM : http://msdn.microsoft.com/en-us/security/aa570351.aspx

• ADFS 2.0 on Technethttp://technet.microsoft.com/en-us/library/adfs2(v=WS.10).aspx

Questions ?

Jean-Marie.THIA@upmc.frtwitter.com/jm_thia

Thanks for your attention