1 : Authentication
• Connect to a web application • Connect to Sharepoint • Connect to Outlook Web Access
1 : SharePoint authZ
• A MS Word use case– From the desktop– From SharePoint
• Set authorization in SharePoint
3 : WIF
• Core claims API (microsoft.identityModel)• SAML Token• WS Federation protocol
• SAML 2.0 protocol with Safewherehttp://safewhere.net/products/saml-20-for-wif.aspx
3 : WIF programmingIClaimsIdentity id =((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];
// you can use a simple foreach loop to find a claim...string usersEmail = null;foreach (Claim c in id.Claims) { if (c.ClaimType == System.IdentityModel.Claims.ClaimTypes.Email) { UsersEmail = c.Value; break; }}
// you can also use LINQ to find a claimstring usersFirstName = (from c in id.Claims where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.GivenName select c).First().Value;
3 : ADFS 2.0
• Uses SAML 2.0 Protocol– Liberty alliance IdP Lite– Liberty alliance SP Lite– eGov SAML 2.0 Profile v1.5
• Uses WS-* Protocol• Interoperate with Oracle, CA, SUN, Shibboleth,
PingIdentity, …• Is a separate download !
3 : ADFS 2.0 architecture
Active Directory Federation Services (AD FS) 2.0
Management APIs and UX
WMI ProviderProtocol Hosting
(WS-*, SAML 2.0)
Identity Store Interface Policy Store Interface
Windows Identity Foundation (WIF) API
Metadata/Policy Management
Service
Information Card IssuanceService
Token/Claim Issuance Service
Configuration Database
Account & Attribute Stores
3 : Terminologies
AD FS 2.0 SAML 2.0Security Token AssertionClaims Assertion AttributesClaims Provider Identity ProviderRelying Party Service ProviderRealm Home Discovery (RHD)Security Token Service (STS)
3 : Azure ACS
• ADFS for the cloud• Extended interoperability (Oauth, openID,
google, facebook, etc.)
Conclusion
• +– Many guides.– AuthZ with claims augmentation.– Claims compatibility with old code.
• -– Federation metadata
ADFS v2 - Guides
• Sharepoint 2010Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx
• Outlook Web Access 2010Exposing OWA 2010 with AD FS 2.0 to other organizationshttp://www.microsoft.com/france/interop/ressources/documents.aspx
• In CommonAD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federationhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx
Webcast
• Architecting claims-aware applicationhttp://www.msteched.com/2010/Europe/ARC303
• From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 http://www.msteched.com/2010/NorthAmerica/OSP311
• Developing Microsoft SharePoint Server 2010 Solutions with Claims Authenticationhttp://www.msteched.com/2010/NorthAmerica/OSP306
• http://channel9.msdn.com/
Links at Microsoft
• Patterns & Practices A guide to claims-based to Identity and Access Control http://msdn.microsoft.com/en-us/library/ff423674.aspx
• MSDNWIF : http://msdn.microsoft.com/en-us/library/ee748484.aspxC2WTS : http://msdn.microsoft.com/en-us/library/ee517278.aspxIdM : http://msdn.microsoft.com/en-us/security/aa570351.aspx
• ADFS 2.0 on Technethttp://technet.microsoft.com/en-us/library/adfs2(v=WS.10).aspx