Embed Size (px)
Citation preview
Silber-Partner: Veranstalter:
Extending Authentication and Authorization
Edin Kapić
Edin Kapić• SharePoint Senior
Architect & Team Lead in Sogeti, Barcelona
• President of SharePoint User Group Catalonia (SUG.CAT)
• Writer at Pluralsight• SharePoint Server
Office Servers and Services MVP
• Tinker & geek
Email : [email protected] : @ekapic
LinkedIn : edinkapic
Agenda
• SharePoint, Authentication and Authorization• Claims– Claims-based Authentication– Claims-based Authorization– Claims Augmentation and Transformation– Claims Providers
• Federated Authentication
SharePoint, Authentication & Authorization
SharePoint Web App
Authentication Provider
SPUser
Site Collection
Site
SPRoleAssignment
Authentication
Authorization
Authentifizierung
Autorisierung
SharePoint Authentication
• SharePoint doesn’t authenticate by itself
• It keeps user details in the user profile database and user information lists in each site collection
SharePoint Authorization
• Associated with principals– Authenticated users– Groups (SharePoint or AD)– Claims– App Add-in identities
SharePoint 2013 Authentication Options
• “Classic” Windows– Deprecated
• Claims-based–Windows tokens– FBA– SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser
App Add-In Authentication
• Add-ins have identity and can be assigned permissions– Add-ins are principals, together with users and
groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate– Low-trust add-ins use 3-legged OAuth (with ACS
broker)– High-trust add-ins use self-signed tokens
Claims (Ansprüche)• A claim is a piece of your identity, claimed by some
authority• Claims are received upon presenting credentials to a
claims provider• Claims providers are trusted• Examples– Employee badge• Name, department, clearance
– Boarding passes• Flight, seat, class, name
– Paper Wristbands• Ticket type, extra services
Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea
SharePoint ClaimsClaim Type Claim Value Issuer Original Issuerhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
demo\ekapic SharePoint
SharePoint
http://schemas.xmlsoap.org/ws/2008/06/identity/claims/primarysid
S-1-5-21-4067827123-213488314-8760374-513
SharePoint
Windows
http://schemas.xmlsoap.org/ws/2005/05identity/claims/upn
[email protected] SharePoint
Windows
http://schemas.microsoft.com/sharepoint/2009/08/claims/userid
0#.w|demo\ekapic SharePoint
SecurityTokenService
Claims Authentication
• SharePoint augments and transforms the incoming claims to a normalized claims identity
• Can be done by more than one claims provider• Decouples the authentication method from the
user identity• For Windows incoming claims, there is a C2WTS
(Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
Claims Format
Claim Claim Parts
i:0#.w|spdemo\edin • •“i” for an identity claim • •“#” for the user logon name format for the
claim value • •“.” for a string • •“w” for Windows claims • •“spdemo\edin” for the identity claim value
(the Windows account name)
i:0e.t|adfs|[email protected]
• •“i” for an identity claim • •“e” for the UPN property of the claim value• •“.” for a string • •“t” for a trusted issuer • •“adfs” identifies the original issuer of the
identity claim • •“[email protected]” for the identity claim
valuehttp://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx
<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>
Claims Authorization
• Any claim can be used as a security principal in SharePoint
• Flexible alternative to security groups
• Claims can be surfaced by the identity token service or custom claims provider in People Picker
Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class
• But, take care about thread safety: http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom-claims-providers.aspx
Claims Augmentation and Surfacing
Desired claim provider feature ImplementsClaims augmentation FillClaimsForEntity
SupportsEntityInformation
Claims surfacing in People Picker FillSchemaFillClaimTypesFillClaimValueTypesFillEntityTypes
Claims hierarchy in People Picker left side FillHierarchySupportsHierarchy
Resolving typed claims in People Picker FillResolveSupportsResolve
Searching for claims in People Picker FillSearchSupportsSearch
DEMO
Custom Claim Provider
Federated Authentication
• When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication
• Third-party Secure Token Service (STS) issues a security token with claims
• This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them
• Tokens are digitally signed to prevent tampering
Federated Authentication
• ID cards or passports are real-world examples of federated authentication
Federated Identity Providers
• Microsoft Active Directory Federation Services (ADFS)
• Microsoft Azure Active Directory
• Thinktecture IdentityServer
• Shibboleth• IBM Federated Identity
Manager• ...
Active Directory Federation Services (ADFS)
• Part of Windows Server features
• Can transform AD into a federated IdP
• Doesn’t manage users directly, but claims, identity providers and relying parties
Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365 offering
• Underpins the most of the Office 365 / Azure hybrid architectures
Thinktecture IdentityServer
• Open-source IdP based on .NET and Windows Identity Framework
• Modular architecture
DEMO
Federated Authentication with ADFS
Summary
• Claims-based identity and authorization are the only way forward, so make sure that you understand them well
• You can decouple user authentication from the user identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else
Additional Tools• LDAP/AD Claims Provider– Surfaces users from ADFS / AD into claims-enabled People
Picker• https://ldapcp.codeplex.com/
Additional Tools• SharePoint Identity Service– Service application for SharePoint
• https://spidentityservice.codeplex.com/
Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en-us/library/ff423674.aspx
FRAGEN?
Ich freue mich auf Ihr Feedback!
Silber-Partner: Veranstalter:
Vielen Dank!Edin Kapić
