SlideShare une entreprise Scribd logo
1  sur  81
Télécharger pour lire hors ligne
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
   Senior consultant – SharePoint development
   Based in the Washington, DC metro area
   8 years SharePoint development experience

   MCPD: SharePoint Developer 2010
   MCTS: SharePoint 2010 Configuration

   Email: djessee@gmail.com
   Twitter: @dannyjessee
   Blog: http://dannyjessee.com/blog
   Authentication vs. Authorization
   Claims Authentication in SharePoint 2010
   Integrating Facebook from scratch
     New SharePoint 2010 web application
     Adding an Azure AppFabric ACS Trusted
      Identity Provider (Facebook)
     Going “beyond authentication” to surface
      Facebook data in SharePoint and vice versa
   How many of you are…
     Developers?
     System administrators?
     IT professionals?
     Others?
   Integrating SharePoint 2010 with an
    identity provider such as Facebook will
    present different challenges for each role
Claims-Based Identity, Facebook, and the Cloud
   Authentication (AuthN) is the process of
    validating a user’s identity
     SharePoint never performs authentication
   If the login prompt keeps appearing, think
    authentication issue!
     Unless it’s the dreaded
     loopback check!
   Authorization (AuthZ) is the process of
    determining the resources, features, etc. to
    which an authenticated user has access
   If you see “Access Denied” errors, think
    authorization issue!
   What is a claim?
     A piece of information describing a user
      ▪ Name
      ▪ Email Address
      ▪ Role/Group membership
      ▪ Age
      ▪ Hire Date
   Whose claims do I trust, and which claims
    affect authorization decisions I make?
   Token
     Serialized set of claims about an authenticated
     user, digitally signed by the token’s issuer
   Identity Provider (IP)
     Validates user credentials
   Security Token Service (STS)
     Builds, signs, and issues tokens containing claims
   Relying party (RP)
     Applications that makes authorization decisions
     based on claims (SharePoint 2010)
   WS-Trust, WS-Federation, SAML
     Requesting/receiving tokens
     XML representation of claims
   These emerging technologies have been
    around for awhile
     Their use in Claims-Based Identity represents a
      new approach for handling identity in applications
     Great potential in corporate environments
      ▪ Active Directory Federation Services, external LDAP, etc.
     Great potential as we move to the cloud
      ▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
   Decoupling of authentication logic from
    authorization and personalization logic
     Applications no longer need to determine who
      the user is, they receive claims identifying the
      user
     Great for developers who rarely want to work
      with identity!
   Provides a common way for applications
    to acquire the identity information they
    need about users
1. “I’d like to access this protected resource.”
2. “I don’t know who you are. Identity provider, authenticate him.”
3. “My user ID is Danny and my password is BaCoNbAcOn!!1.”
4. “Hi, Danny. Here is a token you can
   use containing attributes about you.”
5. “I’d like to access this resource;
   hopefully it has the proof you need
   to authorize me!”




                                                        SharePoint 2010
Claims-Based Identity, Facebook, and the Cloud
   The Federal Bacon Administration is a
    highly innovative (and flavorful) new
    government agency that is standing up a
    new public-facing web site using
    SharePoint 2010
   They want users to sign in using their
    Facebook accounts and bring information
    from Facebook into SharePoint (and vice
    versa)
   Claims Based Authentication (Tokens)
     Windows Authentication: NTLM/Kerberos, Basic
     Forms-Based Authentication (ASP.NET
      Membership provider and Role manager)
     Other Trusted Identity providers (like Facebook!)
   Classic Mode Authentication (“Old School”)
     Windows Authentication (NTLM/Kerberos) only
   Both map authenticated users to SPUser
    objects (security principals)
   The single biggest decision of your life!
   Updated TechNet guidance:
     “For new implementations of SharePoint
     Server 2010, you should consider we
     recommend claims-based authentication.”




      http://technet.microsoft.com/en-us/library/cc262350.aspx
   Allows users to choose how to authenticate
    when multiple providers are configured
    (Mixed Authentication)




   Custom code opportunity
     http://www.orbitone.com/en/blog/archive/2010/0
     6/23/sharepoint-2010-mixed-authentication-
     automatic-login.aspx
   Visual Web Part
   Code behind:
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
Page.DataBind();




http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
Demo #1
Claims-Based Identity, Facebook, and the Cloud
 Cloud-based service that provides an easy
  way of authenticating and authorizing users
  to gain access to web applications
 Includes support for Windows Live ID,
  Google, Yahoo, and Facebook
 Also includes support for Active Directory
  Federation Services (AD FS) 2.0
 Simple browser-based management portal
 $1.99/100k transactions (free until Nov. 30!)
 Three things must be done to add support
  for users to login to SharePoint via Facebook:
1. Create a Facebook application
      https://developers.facebook.com/apps
2.    Configure ACS for Facebook support
      Permissions you will request from Facebook users
      Relying Party application and Rule Group setup
3.    Configure ACS as a Trusted Identity Provider
      in SharePoint
   No! You can integrate external identity
    providers with SharePoint without ACS
     You have no choice if you want to use identity
     providers not currently supported by ACS
     (such as LinkedIn or Twitter)
   You will need to write your own code to:
     Ensure the user has logged in to the IP
     Obtain claim information from the IP
     Package and sign tokens (your own STS)
Demo #2
   Click “Create New App”
   Provide Display Name and Namespace




   Note App ID and App Secret values
   Provide Website URL to ACS
Demo #3
   From the ACS management portal, add a
    new Identity Provider
   Enter App ID and App Secret values from
    Facebook application you created earlier
   Enter a comma-delimited list of
    Application Permissions you want to
    request
     https://developers.facebook.com/docs/referen
     ce/api/permissions/
   In our demo, we will request:
     email,user_location,user_hometown,user_website,u
     ser_work_history,publish_stream,user_birthday,fr
     iends_birthday
   Permissions you request will be displayed
    to the end user the first time they log in




   Request the minimum subset of
    permissions you need
     Users are more likely to reject bigger requests
   Generate Rule Group
     Named set of claim rules that define which
     identity claims are passed from identity
     providers to your relying party application




   SharePoint will still need to be configured
    to make use of these claims
   Configure Relying Party application
   Provide Name, Realm, and Return URL
     Return URL: Realm + /_trust
   Choose SAML 1.1 token format
   Update Token lifetime to >600 seconds




   Select Identity providers and Rule
    groups
   Generate self-signed certificate
     C:Program FilesMicrosoft Office
     Servers14.0Tools>MakeCert.exe -r
     -pe -n
     "CN=dannyjessee.accesscontrol.wind
     ows.net" -sky exchange -ss my
     (Self-signed, exportable, subject key type
     “exchange,” store in “personal” certificate store)
   Development only! Please use a
    legitimate certificate in production!
   Upload this certificate (.pfx format) as the
    Token Signing Certificate in ACS
Demo #4
   New-SPTrustedRootAuthority
     Name, Certificate (self-signed .cer made
     earlier)
   New-SPClaimTypeMapping
     IncomingClaimType
     IncomingClaimTypeDisplayName
     LocalClaimType (or SameAsIncoming)
   New-SPTrustedIdentityTokenIssuer
     Name, Realm, ImportTrustCertificate
     ClaimsMappings, SignInUrl, IdentifierClaim
   Running this PowerShell script will add
    “Facebook” to the list of Trusted Identity
    Providers
   Eligible to be added to Claims-based web
    applications in Central Administration
   Before Facebook users will be authorized
    to access anything, we must grant them
    an appropriate level of permissions
   Best to set a “Full Read” web application
    policy for users coming in from Facebook
     In a public-facing scenario, you likely won’t
      know specific user identities to set more
      granular permissions
     Not to mention the people picker problems!
Demo #5
   All claims whose OriginalIssuer is
    TrustedProvider:Facebook




   AccessToken is the key to all user data
   Make calls to the Facebook Graph API
     https://developers.facebook.com/docs/referen
        ce/api/
       Retrieve data about the user and his/her
        friends
       Upload photos/videos, post status messages
       Data returned from Facebook in JSON format
       Requests to https://graph.facebook.com/...
        ▪ me/feed, me/friends, me/photos, me/videos
   SharePoint maintains its own certificate
    store where separate trusts must be
    configured
   http://dannyjessee.com/blog/index.php/2
    011/12/required-trust-relationships-for-
    the-facebook-c-sdk-in-sharepoint-2010/
   Need to upload two certificates in Central
    Admin (Security > Manage Trust):
     DigiCert High Assurance EV Root CA
     DigiCert High Assurance CA-3
Demo #6
   I’m sorry!
   Time to geek out with some code
   Nothing particularly special about this
    code, any .NET developer should be able
    to work similar magic
   Examples use the Facebook C# SDK
     http://csharpsdk.org
   Code snippets in these slides are not
    complete
     Do not include proper error checking/handling
     Do not show proper impersonation of System
     Account where necessary
   Please download the code
     Do not copy and paste from these slides
     I will Tweet the link and update this slide deck
     to include it
   Returned in a claim from Facebook
     A new AccessToken is issued each login
     Our key to all of the data about the logged in user
     Required for all calls to the Facebook Graph API
   Two hour lifetime by default
   To leverage this token across the site, I store
    it in the SPWeb.AllProperties property bag
     web.AllProperties[“fbAccessToken_{loginname}”]
     AllProperties required for case sensitivity
 Change                 to
 Initial display name for the SPUser is based
  on the specified IdentifierClaim
 Make this friendlier – we know their name!

if (SPContext.Current.Web.CurrentUser == null)
{
   SPUser user = web.EnsureUser("i:" + claimsIdentity.Name);
   currentUser.Name = givenName;
   currentUser.Update();
}
var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
JsonObject location = me["location"] as JsonObject;
myLocation = (string)location["name"];


       myLocation is in City, State format
       Parsed and sent to Weather Underground
        API
        http://api.wunderground.com/api/[key]/
         geolookup/conditions/forecast/q/[state]/
         [city].json
var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
SPList lstContacts = web.Lists["Contacts"];
SPListItem item = lstContacts.Items.Add();
item["First Name"] = (string)me["first_name"];
item["Last Name"] = (string)me["last_name"];
JsonArray work = me["work"] as JsonArray;
// Most recent/current employer stored in work[0]
JsonObject company = work[0] as JsonObject;
JsonObject employer = company["employer"] as JsonObject;
JsonObject position = company["position"] as JsonObject;
item["Company"] = (string)employer["name"];
item["Job Title"] = (string)position["name"];
item.SystemUpdate();
var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)
client.Get("me/friends?fields=name,birthday");
JsonArray friendData = me["data"] as JsonArray;
foreach (JsonObject friend in friendData)
{
   if (friend.ContainsKey("birthday"))
   {
      /* Some users share MM/DD of birthday, others share
         MM/DD/YYYY
          We only care about MM/DD for our purposes, and
         Facebook always pads with leading zeros */
      string birthday = (string)friend["birthday"];
      birthMonth = int.Parse(birthday.Substring(0, 2));
      birthDate = int.Parse(birthday.Substring(3, 2));
      ...
SPList lstCalendar = web.Lists["Calendar"];
SPListItem birthdayItem = lstCalendar.Items.Add();
birthdayItem["Title"] = name + (name.EndsWith("s") ? "' birthday" :
"'s birthday");
birthdayItem["EventDate"] = dtBirthday;
birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;
birthdayItem[SPBuiltInFieldId.EventType] = 1;
birthdayItem[SPBuiltInFieldId.fRecurrence] = true;
birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;
string recurrence =
"<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +
"<repeat><yearly yearFrequency='1' month='" + birthMonth.ToString()
+ "' day='" + birthDate.ToString() + "' /></repeat>" +
"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";
birthdayItem["RecurrenceData"] = recurrence;
birthdayItem.SystemUpdate();
var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object>();
dict.Add("message", "Yay for Claims-Based Identity,
Facebook, SharePoint, and Bacon!");
dict.Add("link", "http://sharepointsaturday.org/boston");
dict.Add("picture",
"http://www.sharepointsaturday.org/boston/SiteImages/2012
_SPS_Logo_300.jpg");
dict.Add("name", "SharePoint Saturday Boston Home Page");
dict.Add("caption", "April 28, 2012");
dict.Add("description", "Come see my presentation about
Claims-Based Identity in SharePoint 2010 at SPSBOS!");
client.PostAsync("me/feed", dict);
var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object> {
   { "title", "I know how to post videos to
Facebook...from SharePoint!" },
   { "description", "See more at SPSBOS April 28, 2012!"
},
   { "vid1", new FacebookMediaObject { ContentType =
"video/x-flv", FileName = "facebook.flv"
}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }
};
client.PostAsync("me/videos", dict);
   Silverlight application courtesy MossLover
   Interfaces with the user’s webcam, saves
    captured images to document library
   Added event handler to upload to
    Facebook
string contentType = "image/jpeg";
var client = new Facebook.FacebookClient(fbAccessToken);
Dictionary<string, object> dict = new Dictionary<string,
object> {
   { "message", "Uploaded picture from Silverlight webcam
image capture in SharePoint!" },
   { "pic1", new FacebookMediaObject { ContentType =
contentType, FileName = properties.ListItem.File.Name
}.SetValue(properties.ListItem.File.OpenBinary()) }
};
client.PostAsync("me/photos", dict);
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the Cloud
   Similar to FBA setup for MOSS, with some
    exceptions:
     Authentication provider does not need to be
      mapped to a separate zone
     One additional Web.config to modify:
     ▪ C:Program FilesCommon FilesMicrosoft
       SharedWeb Server
       Extensions14WebServicesSecurityToken
     ▪ Add entries for connection string, Membership
       provider, Role manager
     ▪ Same modifications for Central Admin and web app
Claims-Based Identity, Facebook, and the Cloud
   General issues for all Claims implementations
     Search crawler requires NTLM in the zone it uses
     “People picker” is more of a Claims “expression
     editor”
      ▪ Custom code opportunity
     User Profiles
      ▪ LDAP or BCS connection to authentication store
     Office client integration (2007 SP2+, 2010)
      ▪ IE 8+: Trusted Sites
     No document previews with FAST Search
“After migrating to Claims in
SharePoint 2010, most of our users
were able to log in some of the
time.”
          —A less-than-thrilled system administrator
   Migration from MOSS to SharePoint 2010
     Migrate FBA Users
      ▪ $wa = get-SPWebApplication $WebAppName
      ▪ $wa.MigrateUsers($true)
     Portalsuperuser and Portalsuperreader properties
     need to be updated to reflect Claims-encoded format
      ▪ $wa.Properties["portalsuperuseraccount"] =
        "i:0#.w|domainapppool"
      ▪ $wa.Properties["portalsuperreaderaccount"] =
        "i:0#.w|domainapppool"
      ▪ $wa.Update()
     Must migrate all providers from MOSS to 2010
      ▪ i.e., NTLM and FBA if both existed prior to migration
   “Funky” display of usernames
     i:0#.w|SHRPNTAdministrator
     i:0#.f|CustomMembershipProvider|username
     i:0#.t|selfsts|test@contoso.com
      ▪ i: Microsoft.SharePoint.Administration.Claims.
           SPClaimsAuthMembershipProvider (Web.config)
      ▪ windows, forms, trusted Identity Provider
   Set DisplayName property of SPUser
     $user = Get-SPUser -Web
      http://abc.shrpnt.loc
      -Identity
      "i:0#.f|CustomMembershipProvider|username"
     $user.DisplayName = "John Doe"
     $user.Update()
   Can also be done via SharePoint object
    model
   Session expiration issues with SAML
    Claims
     Users can come back to the page hours later
      without having to log in again
     SharePoint creates a FedAuth cookie (written
      to disk) that is not a Session cookie by default
      ▪ $sts = Get-SPSecurityTokenServiceConfig
      ▪ $sts.UseSessionCookies = $true
      ▪ $sts.Update()
   Continuous redirection to/from login page
     This can happen when the TokenLifetime is less
     than the LogonTokenCacheExpirationWindow
      ▪ Default LogonTokenCacheExpirationWindow in
        SharePoint 2010 STS is 10 minutes
      ▪ Default Token Lifetime in Azure ACS is also 10 minutes
      ▪ $sts = Get-SPSecurityTokenServiceConfig
      ▪ $sts.LogonTokenCacheExpirationWindow =
        (New-TimeSpan -minutes 1)
      ▪ $sts.Update()
   Go to the login page, enter valid
    credentials, press the “Log In” button,
    and…get redirected back to the login page
    (once)
     Check the ULS logs!
      ▪ Could be token expiration timeout
      ▪ Could be something else
   SPSecurityTokenService.Issue() failed:
    System.Runtime.InteropServices.
    COMException (0x800703FA): Retrieving the
    COM class factory for component with CLSID
    {BDEADF26-C265-11D0-BCED-00A0C90AB50F}
    failed due to the following error: 800703FA.
     GPEdit: Computer Configuration >
      Administrative Templates > System > User
      Profiles
     ▪ Do not forcefully unload the users registry at user
       logoff > Set to “Enabled”
Claims-Based Identity, Facebook, and the Cloud
   Stick with Classic Mode Authentication if
    you are deploying SharePoint into a
    “simple” Active Directory environment
     Particularly if strict security controls are in
      place that are beyond your control
     Especially if you are only migrating from
      Windows authentication in MOSS
     Once you go to Claims, you can’t go back!
   If you must use Claims for your Extranet,
    try to minimize the number of zones/host
    headers used
     Default zone should be most secure
   Have a good “troubleshooter’s toolbox”
     ULS Log Viewer
     Fiddler
     Claims Viewer web part
Claims-Based Identity, Facebook, and the Cloud
   Shane Young – my hero!
     http://sharepoint911.com
   Plan Authentication Methods
    (SharePoint Server 2010)
     http://technet.microsoft.com/en-
     us/library/cc262350.aspx
   A Guide to Claims-Based Identity and
    Access Control (Microsoft Patterns and
    Practices)
     http://claimsid.codeplex.com/
   Writing Claims Providers for SharePoint
    2010
     http://msdn.microsoft.com/en-
     us/library/ff699494.aspx
   Implementing Claims-Based
    Authentication with SharePoint Server
    2010
     http://www.microsoft.com/download/en/detail
     s.aspx?id=27569
   Transparent Login with Mixed
    Authentication
     http://www.orbitone.com/en/blog/archive/201
     0/06/23/sharepoint-2010-mixed-
     authentication-automatic-login.aspx
   C# Facebook SDK
     http://facebooksdk.codeplex.com
   Azure ACS and Facebook
     http://msdn.microsoft.com/en-
     us/library/gg185967.aspx
   Steve Peschka
     http://blogs.technet.com/b/speschka/archive/
      2010/06/12/migrating-a-web-application-
      from-windows-classic-to-windows-claims-in-
      sharepoint-2010.aspx
     http://msdn.microsoft.com/en-
      us/library/hh147183.aspx
   Project Server Blog (GREAT tips for
    migrating to Claims here!!!)
     http://nearbaseline.com.au/blog/tag/claims/
   SelfSTS and Vittorio Bertocci
     http://archive.msdn.microsoft.com/SelfSTS
     http://blogs.msdn.com/b/vbertocci/archive/20
     10/08/23/selfsts-when-you-need-a-saml-
     token-now-right-now.aspx
   Paul Schaeflein
     http://www.schaeflein.net/blog/Lists/Posts/Pos
     t.aspx?ID=4
   Claims Viewer web part
     http://blogs.pointbridge.com/Blogs/nielsen_tr
     avis/Pages/Post.aspx?_ID=32
   Fiddler
     http://www.fiddler2.com/fiddler2/
   SharePoint ULS Log Viewers
     http://sharepointlogviewer.codeplex.com/
     http://ulsviewer.codeplex.com/
   Azure ACS Integration
     http://blogs.objectsharp.com/cs/blogs/steve/a
      rchive/2011/04/21/windows-azure-access-
      control-services-federation-with-
      facebook.aspx
     http://www.7388.info/index.php/article/studio/
      2011-07-29/20983.html
   Robert Bogue
     http://www.sharepointshepherd.com

Contenu connexe

Tendances

Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
SharePoint 2010 authentications
SharePoint 2010 authenticationsSharePoint 2010 authentications
SharePoint 2010 authenticationsWyngate Solutions
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdfTomasz Kopacz
 
Series of Visual Flow Diagrams
Series of Visual Flow DiagramsSeries of Visual Flow Diagrams
Series of Visual Flow DiagramsMike Reams
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittalManoj Mittal
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Vivek chan
 
Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
 
Optimizing your job apply pages with the LinkedIn profile API
Optimizing your job apply pages with the LinkedIn profile APIOptimizing your job apply pages with the LinkedIn profile API
Optimizing your job apply pages with the LinkedIn profile APIIvo Brett
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identitiesclounoud
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Niit Care
 

Tendances (20)

Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
RESTful Day 5
RESTful Day 5RESTful Day 5
RESTful Day 5
 
SharePoint 2010 authentications
SharePoint 2010 authenticationsSharePoint 2010 authentications
SharePoint 2010 authentications
 
24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf24032022 Zero Trust for Developers Pub.pdf
24032022 Zero Trust for Developers Pub.pdf
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborg
 
Series of Visual Flow Diagrams
Series of Visual Flow DiagramsSeries of Visual Flow Diagrams
Series of Visual Flow Diagrams
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in Action
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11
 
Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008Live Identity Services Drilldown - PDC 2008
Live Identity Services Drilldown - PDC 2008
 
Optimizing your job apply pages with the LinkedIn profile API
Optimizing your job apply pages with the LinkedIn profile APIOptimizing your job apply pages with the LinkedIn profile API
Optimizing your job apply pages with the LinkedIn profile API
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Ad fs
Ad fsAd fs
Ad fs
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11
 

Similaire à Claims-Based Identity, Facebook, and the Cloud

DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010Spencer Harbar
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 -  High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 -  High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentEdin Kapic
 
Spsbe15 high-trust apps for on-premises development
Spsbe15   high-trust apps for on-premises developmentSpsbe15   high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentBIWUG
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point   an...Developing custom claim providers to enable authorization in share point   an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...SPC Adriatics
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentEdin Kapic
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)Sabino Labarile
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Kris Wagner
 
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...Eric Shupps
 
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Eric Shupps
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...NCCOMMS
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CAnton Staykov
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...CoLaboraDK
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Peter Selch Dahl
 

Similaire à Claims-Based Identity, Facebook, and the Cloud (20)

DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 -  High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 -  High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
 
Spsbe15 high-trust apps for on-premises development
Spsbe15   high-trust apps for on-premises developmentSpsbe15   high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point   an...Developing custom claim providers to enable authorization in share point   an...
Developing custom claim providers to enable authorization in share point an...
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
 
e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)e-SUAP - Security - Windows azure access control list (english version)
e-SUAP - Security - Windows azure access control list (english version)
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
 
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...
SPTECHCON - Who are You and What Do You Want - Working with OAuth in SharePoi...
 
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
Who Are You and What Do You Want? Working with OAuth in SharePoint 2013.
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
 

Plus de Danny Jessee

Updating Legacy SharePoint Customizations to the Add-in Model
Updating Legacy SharePoint Customizations to the Add-in ModelUpdating Legacy SharePoint Customizations to the Add-in Model
Updating Legacy SharePoint Customizations to the Add-in ModelDanny Jessee
 
Build and Deploy Provider-hosted SharePoint Add-ins
Build and Deploy Provider-hosted SharePoint Add-insBuild and Deploy Provider-hosted SharePoint Add-ins
Build and Deploy Provider-hosted SharePoint Add-insDanny Jessee
 
Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
 
Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
 
Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
 
Put it on a Map! Using the new Location and Map Features in SharePoint 2013
Put it on a Map! Using the new Location and Map Features in SharePoint 2013Put it on a Map! Using the new Location and Map Features in SharePoint 2013
Put it on a Map! Using the new Location and Map Features in SharePoint 2013Danny Jessee
 
Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Danny Jessee
 
Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Danny Jessee
 
Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Danny Jessee
 
Get Started with Apps for SharePoint 2013
Get Started with Apps for SharePoint 2013Get Started with Apps for SharePoint 2013
Get Started with Apps for SharePoint 2013Danny Jessee
 

Plus de Danny Jessee (10)

Updating Legacy SharePoint Customizations to the Add-in Model
Updating Legacy SharePoint Customizations to the Add-in ModelUpdating Legacy SharePoint Customizations to the Add-in Model
Updating Legacy SharePoint Customizations to the Add-in Model
 
Build and Deploy Provider-hosted SharePoint Add-ins
Build and Deploy Provider-hosted SharePoint Add-insBuild and Deploy Provider-hosted SharePoint Add-ins
Build and Deploy Provider-hosted SharePoint Add-ins
 
Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013
 
Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013
 
Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013Build Secure Cloud-Hosted Apps for SharePoint 2013
Build Secure Cloud-Hosted Apps for SharePoint 2013
 
Put it on a Map! Using the new Location and Map Features in SharePoint 2013
Put it on a Map! Using the new Location and Map Features in SharePoint 2013Put it on a Map! Using the new Location and Map Features in SharePoint 2013
Put it on a Map! Using the new Location and Map Features in SharePoint 2013
 
Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!
 
Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!
 
Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!Get Started with Apps for SharePoint 2013!
Get Started with Apps for SharePoint 2013!
 
Get Started with Apps for SharePoint 2013
Get Started with Apps for SharePoint 2013Get Started with Apps for SharePoint 2013
Get Started with Apps for SharePoint 2013
 

Dernier

RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Dernier (20)

RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

Claims-Based Identity, Facebook, and the Cloud

  • 3. Senior consultant – SharePoint development  Based in the Washington, DC metro area  8 years SharePoint development experience  MCPD: SharePoint Developer 2010  MCTS: SharePoint 2010 Configuration  Email: djessee@gmail.com  Twitter: @dannyjessee  Blog: http://dannyjessee.com/blog
  • 4. Authentication vs. Authorization  Claims Authentication in SharePoint 2010  Integrating Facebook from scratch  New SharePoint 2010 web application  Adding an Azure AppFabric ACS Trusted Identity Provider (Facebook)  Going “beyond authentication” to surface Facebook data in SharePoint and vice versa
  • 5. How many of you are…  Developers?  System administrators?  IT professionals?  Others?  Integrating SharePoint 2010 with an identity provider such as Facebook will present different challenges for each role
  • 7. Authentication (AuthN) is the process of validating a user’s identity  SharePoint never performs authentication  If the login prompt keeps appearing, think authentication issue!  Unless it’s the dreaded loopback check!
  • 8. Authorization (AuthZ) is the process of determining the resources, features, etc. to which an authenticated user has access  If you see “Access Denied” errors, think authorization issue!
  • 9. What is a claim?  A piece of information describing a user ▪ Name ▪ Email Address ▪ Role/Group membership ▪ Age ▪ Hire Date  Whose claims do I trust, and which claims affect authorization decisions I make?
  • 10. Token  Serialized set of claims about an authenticated user, digitally signed by the token’s issuer  Identity Provider (IP)  Validates user credentials  Security Token Service (STS)  Builds, signs, and issues tokens containing claims  Relying party (RP)  Applications that makes authorization decisions based on claims (SharePoint 2010)
  • 11. WS-Trust, WS-Federation, SAML  Requesting/receiving tokens  XML representation of claims  These emerging technologies have been around for awhile  Their use in Claims-Based Identity represents a new approach for handling identity in applications  Great potential in corporate environments ▪ Active Directory Federation Services, external LDAP, etc.  Great potential as we move to the cloud ▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
  • 12. Decoupling of authentication logic from authorization and personalization logic  Applications no longer need to determine who the user is, they receive claims identifying the user  Great for developers who rarely want to work with identity!  Provides a common way for applications to acquire the identity information they need about users
  • 13. 1. “I’d like to access this protected resource.” 2. “I don’t know who you are. Identity provider, authenticate him.” 3. “My user ID is Danny and my password is BaCoNbAcOn!!1.” 4. “Hi, Danny. Here is a token you can use containing attributes about you.” 5. “I’d like to access this resource; hopefully it has the proof you need to authorize me!” SharePoint 2010
  • 15. The Federal Bacon Administration is a highly innovative (and flavorful) new government agency that is standing up a new public-facing web site using SharePoint 2010  They want users to sign in using their Facebook accounts and bring information from Facebook into SharePoint (and vice versa)
  • 16. Claims Based Authentication (Tokens)  Windows Authentication: NTLM/Kerberos, Basic  Forms-Based Authentication (ASP.NET Membership provider and Role manager)  Other Trusted Identity providers (like Facebook!)  Classic Mode Authentication (“Old School”)  Windows Authentication (NTLM/Kerberos) only  Both map authenticated users to SPUser objects (security principals)
  • 17. The single biggest decision of your life!  Updated TechNet guidance:  “For new implementations of SharePoint Server 2010, you should consider we recommend claims-based authentication.” http://technet.microsoft.com/en-us/library/cc262350.aspx
  • 18. Allows users to choose how to authenticate when multiple providers are configured (Mixed Authentication)  Custom code opportunity  http://www.orbitone.com/en/blog/archive/2010/0 6/23/sharepoint-2010-mixed-authentication- automatic-login.aspx
  • 19. Visual Web Part  Code behind: IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims; Page.DataBind(); http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
  • 22.  Cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications  Includes support for Windows Live ID, Google, Yahoo, and Facebook  Also includes support for Active Directory Federation Services (AD FS) 2.0  Simple browser-based management portal  $1.99/100k transactions (free until Nov. 30!)
  • 23.  Three things must be done to add support for users to login to SharePoint via Facebook: 1. Create a Facebook application  https://developers.facebook.com/apps 2. Configure ACS for Facebook support  Permissions you will request from Facebook users  Relying Party application and Rule Group setup 3. Configure ACS as a Trusted Identity Provider in SharePoint
  • 24. No! You can integrate external identity providers with SharePoint without ACS  You have no choice if you want to use identity providers not currently supported by ACS (such as LinkedIn or Twitter)  You will need to write your own code to:  Ensure the user has logged in to the IP  Obtain claim information from the IP  Package and sign tokens (your own STS)
  • 26. Click “Create New App”  Provide Display Name and Namespace  Note App ID and App Secret values  Provide Website URL to ACS
  • 28. From the ACS management portal, add a new Identity Provider
  • 29. Enter App ID and App Secret values from Facebook application you created earlier  Enter a comma-delimited list of Application Permissions you want to request  https://developers.facebook.com/docs/referen ce/api/permissions/  In our demo, we will request:  email,user_location,user_hometown,user_website,u ser_work_history,publish_stream,user_birthday,fr iends_birthday
  • 30. Permissions you request will be displayed to the end user the first time they log in  Request the minimum subset of permissions you need  Users are more likely to reject bigger requests
  • 31. Generate Rule Group  Named set of claim rules that define which identity claims are passed from identity providers to your relying party application  SharePoint will still need to be configured to make use of these claims
  • 32. Configure Relying Party application  Provide Name, Realm, and Return URL  Return URL: Realm + /_trust
  • 33. Choose SAML 1.1 token format  Update Token lifetime to >600 seconds  Select Identity providers and Rule groups
  • 34. Generate self-signed certificate  C:Program FilesMicrosoft Office Servers14.0Tools>MakeCert.exe -r -pe -n "CN=dannyjessee.accesscontrol.wind ows.net" -sky exchange -ss my (Self-signed, exportable, subject key type “exchange,” store in “personal” certificate store)  Development only! Please use a legitimate certificate in production!
  • 35. Upload this certificate (.pfx format) as the Token Signing Certificate in ACS
  • 37. New-SPTrustedRootAuthority  Name, Certificate (self-signed .cer made earlier)  New-SPClaimTypeMapping  IncomingClaimType  IncomingClaimTypeDisplayName  LocalClaimType (or SameAsIncoming)  New-SPTrustedIdentityTokenIssuer  Name, Realm, ImportTrustCertificate  ClaimsMappings, SignInUrl, IdentifierClaim
  • 38. Running this PowerShell script will add “Facebook” to the list of Trusted Identity Providers  Eligible to be added to Claims-based web applications in Central Administration
  • 39. Before Facebook users will be authorized to access anything, we must grant them an appropriate level of permissions  Best to set a “Full Read” web application policy for users coming in from Facebook  In a public-facing scenario, you likely won’t know specific user identities to set more granular permissions  Not to mention the people picker problems!
  • 41. All claims whose OriginalIssuer is TrustedProvider:Facebook  AccessToken is the key to all user data
  • 42. Make calls to the Facebook Graph API  https://developers.facebook.com/docs/referen ce/api/  Retrieve data about the user and his/her friends  Upload photos/videos, post status messages  Data returned from Facebook in JSON format  Requests to https://graph.facebook.com/... ▪ me/feed, me/friends, me/photos, me/videos
  • 43. SharePoint maintains its own certificate store where separate trusts must be configured  http://dannyjessee.com/blog/index.php/2 011/12/required-trust-relationships-for- the-facebook-c-sdk-in-sharepoint-2010/  Need to upload two certificates in Central Admin (Security > Manage Trust):  DigiCert High Assurance EV Root CA  DigiCert High Assurance CA-3
  • 45. I’m sorry!  Time to geek out with some code  Nothing particularly special about this code, any .NET developer should be able to work similar magic  Examples use the Facebook C# SDK  http://csharpsdk.org
  • 46. Code snippets in these slides are not complete  Do not include proper error checking/handling  Do not show proper impersonation of System Account where necessary  Please download the code  Do not copy and paste from these slides  I will Tweet the link and update this slide deck to include it
  • 47. Returned in a claim from Facebook  A new AccessToken is issued each login  Our key to all of the data about the logged in user  Required for all calls to the Facebook Graph API  Two hour lifetime by default  To leverage this token across the site, I store it in the SPWeb.AllProperties property bag  web.AllProperties[“fbAccessToken_{loginname}”]  AllProperties required for case sensitivity
  • 48.  Change to  Initial display name for the SPUser is based on the specified IdentifierClaim  Make this friendlier – we know their name! if (SPContext.Current.Web.CurrentUser == null) { SPUser user = web.EnsureUser("i:" + claimsIdentity.Name); currentUser.Name = givenName; currentUser.Update(); }
  • 49. var client = new Facebook.FacebookClient(token); var me = (IDictionary<string, object>)client.Get("me"); JsonObject location = me["location"] as JsonObject; myLocation = (string)location["name"];  myLocation is in City, State format  Parsed and sent to Weather Underground API  http://api.wunderground.com/api/[key]/ geolookup/conditions/forecast/q/[state]/ [city].json
  • 50. var client = new Facebook.FacebookClient(token); var me = (IDictionary<string, object>)client.Get("me"); SPList lstContacts = web.Lists["Contacts"]; SPListItem item = lstContacts.Items.Add(); item["First Name"] = (string)me["first_name"]; item["Last Name"] = (string)me["last_name"]; JsonArray work = me["work"] as JsonArray; // Most recent/current employer stored in work[0] JsonObject company = work[0] as JsonObject; JsonObject employer = company["employer"] as JsonObject; JsonObject position = company["position"] as JsonObject; item["Company"] = (string)employer["name"]; item["Job Title"] = (string)position["name"]; item.SystemUpdate();
  • 51. var client = new Facebook.FacebookClient(token); var me = (IDictionary<string, object>) client.Get("me/friends?fields=name,birthday"); JsonArray friendData = me["data"] as JsonArray; foreach (JsonObject friend in friendData) { if (friend.ContainsKey("birthday")) { /* Some users share MM/DD of birthday, others share MM/DD/YYYY We only care about MM/DD for our purposes, and Facebook always pads with leading zeros */ string birthday = (string)friend["birthday"]; birthMonth = int.Parse(birthday.Substring(0, 2)); birthDate = int.Parse(birthday.Substring(3, 2)); ...
  • 52. SPList lstCalendar = web.Lists["Calendar"]; SPListItem birthdayItem = lstCalendar.Items.Add(); birthdayItem["Title"] = name + (name.EndsWith("s") ? "' birthday" : "'s birthday"); birthdayItem["EventDate"] = dtBirthday; birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24; birthdayItem[SPBuiltInFieldId.EventType] = 1; birthdayItem[SPBuiltInFieldId.fRecurrence] = true; birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true; string recurrence = "<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" + "<repeat><yearly yearFrequency='1' month='" + birthMonth.ToString() + "' day='" + birthDate.ToString() + "' /></repeat>" + "<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>"; birthdayItem["RecurrenceData"] = recurrence; birthdayItem.SystemUpdate();
  • 53. var client = new Facebook.FacebookClient(token); Dictionary<string, object> dict = new Dictionary<string, object>(); dict.Add("message", "Yay for Claims-Based Identity, Facebook, SharePoint, and Bacon!"); dict.Add("link", "http://sharepointsaturday.org/boston"); dict.Add("picture", "http://www.sharepointsaturday.org/boston/SiteImages/2012 _SPS_Logo_300.jpg"); dict.Add("name", "SharePoint Saturday Boston Home Page"); dict.Add("caption", "April 28, 2012"); dict.Add("description", "Come see my presentation about Claims-Based Identity in SharePoint 2010 at SPSBOS!"); client.PostAsync("me/feed", dict);
  • 54. var client = new Facebook.FacebookClient(token); Dictionary<string, object> dict = new Dictionary<string, object> { { "title", "I know how to post videos to Facebook...from SharePoint!" }, { "description", "See more at SPSBOS April 28, 2012!" }, { "vid1", new FacebookMediaObject { ContentType = "video/x-flv", FileName = "facebook.flv" }.SetValue(File.ReadAllBytes(@"C:facebook.flv")) } }; client.PostAsync("me/videos", dict);
  • 55. Silverlight application courtesy MossLover  Interfaces with the user’s webcam, saves captured images to document library
  • 56. Added event handler to upload to Facebook string contentType = "image/jpeg"; var client = new Facebook.FacebookClient(fbAccessToken); Dictionary<string, object> dict = new Dictionary<string, object> { { "message", "Uploaded picture from Silverlight webcam image capture in SharePoint!" }, { "pic1", new FacebookMediaObject { ContentType = contentType, FileName = properties.ListItem.File.Name }.SetValue(properties.ListItem.File.OpenBinary()) } }; client.PostAsync("me/photos", dict);
  • 60. Similar to FBA setup for MOSS, with some exceptions:  Authentication provider does not need to be mapped to a separate zone  One additional Web.config to modify: ▪ C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityToken ▪ Add entries for connection string, Membership provider, Role manager ▪ Same modifications for Central Admin and web app
  • 62. General issues for all Claims implementations  Search crawler requires NTLM in the zone it uses  “People picker” is more of a Claims “expression editor” ▪ Custom code opportunity  User Profiles ▪ LDAP or BCS connection to authentication store  Office client integration (2007 SP2+, 2010) ▪ IE 8+: Trusted Sites  No document previews with FAST Search
  • 63. “After migrating to Claims in SharePoint 2010, most of our users were able to log in some of the time.” —A less-than-thrilled system administrator
  • 64. Migration from MOSS to SharePoint 2010  Migrate FBA Users ▪ $wa = get-SPWebApplication $WebAppName ▪ $wa.MigrateUsers($true)  Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format ▪ $wa.Properties["portalsuperuseraccount"] = "i:0#.w|domainapppool" ▪ $wa.Properties["portalsuperreaderaccount"] = "i:0#.w|domainapppool" ▪ $wa.Update()  Must migrate all providers from MOSS to 2010 ▪ i.e., NTLM and FBA if both existed prior to migration
  • 65. “Funky” display of usernames  i:0#.w|SHRPNTAdministrator  i:0#.f|CustomMembershipProvider|username  i:0#.t|selfsts|test@contoso.com ▪ i: Microsoft.SharePoint.Administration.Claims. SPClaimsAuthMembershipProvider (Web.config) ▪ windows, forms, trusted Identity Provider
  • 66. Set DisplayName property of SPUser  $user = Get-SPUser -Web http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"  $user.DisplayName = "John Doe"  $user.Update()  Can also be done via SharePoint object model
  • 67. Session expiration issues with SAML Claims  Users can come back to the page hours later without having to log in again  SharePoint creates a FedAuth cookie (written to disk) that is not a Session cookie by default ▪ $sts = Get-SPSecurityTokenServiceConfig ▪ $sts.UseSessionCookies = $true ▪ $sts.Update()
  • 68. Continuous redirection to/from login page  This can happen when the TokenLifetime is less than the LogonTokenCacheExpirationWindow ▪ Default LogonTokenCacheExpirationWindow in SharePoint 2010 STS is 10 minutes ▪ Default Token Lifetime in Azure ACS is also 10 minutes ▪ $sts = Get-SPSecurityTokenServiceConfig ▪ $sts.LogonTokenCacheExpirationWindow = (New-TimeSpan -minutes 1) ▪ $sts.Update()
  • 69. Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once)  Check the ULS logs! ▪ Could be token expiration timeout ▪ Could be something else
  • 70. SPSecurityTokenService.Issue() failed: System.Runtime.InteropServices. COMException (0x800703FA): Retrieving the COM class factory for component with CLSID {BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA.  GPEdit: Computer Configuration > Administrative Templates > System > User Profiles ▪ Do not forcefully unload the users registry at user logoff > Set to “Enabled”
  • 72. Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment  Particularly if strict security controls are in place that are beyond your control  Especially if you are only migrating from Windows authentication in MOSS  Once you go to Claims, you can’t go back!
  • 73. If you must use Claims for your Extranet, try to minimize the number of zones/host headers used  Default zone should be most secure  Have a good “troubleshooter’s toolbox”  ULS Log Viewer  Fiddler  Claims Viewer web part
  • 75. Shane Young – my hero!  http://sharepoint911.com  Plan Authentication Methods (SharePoint Server 2010)  http://technet.microsoft.com/en- us/library/cc262350.aspx  A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices)  http://claimsid.codeplex.com/
  • 76. Writing Claims Providers for SharePoint 2010  http://msdn.microsoft.com/en- us/library/ff699494.aspx  Implementing Claims-Based Authentication with SharePoint Server 2010  http://www.microsoft.com/download/en/detail s.aspx?id=27569
  • 77. Transparent Login with Mixed Authentication  http://www.orbitone.com/en/blog/archive/201 0/06/23/sharepoint-2010-mixed- authentication-automatic-login.aspx  C# Facebook SDK  http://facebooksdk.codeplex.com  Azure ACS and Facebook  http://msdn.microsoft.com/en- us/library/gg185967.aspx
  • 78. Steve Peschka  http://blogs.technet.com/b/speschka/archive/ 2010/06/12/migrating-a-web-application- from-windows-classic-to-windows-claims-in- sharepoint-2010.aspx  http://msdn.microsoft.com/en- us/library/hh147183.aspx  Project Server Blog (GREAT tips for migrating to Claims here!!!)  http://nearbaseline.com.au/blog/tag/claims/
  • 79. SelfSTS and Vittorio Bertocci  http://archive.msdn.microsoft.com/SelfSTS  http://blogs.msdn.com/b/vbertocci/archive/20 10/08/23/selfsts-when-you-need-a-saml- token-now-right-now.aspx  Paul Schaeflein  http://www.schaeflein.net/blog/Lists/Posts/Pos t.aspx?ID=4
  • 80. Claims Viewer web part  http://blogs.pointbridge.com/Blogs/nielsen_tr avis/Pages/Post.aspx?_ID=32  Fiddler  http://www.fiddler2.com/fiddler2/  SharePoint ULS Log Viewers  http://sharepointlogviewer.codeplex.com/  http://ulsviewer.codeplex.com/
  • 81. Azure ACS Integration  http://blogs.objectsharp.com/cs/blogs/steve/a rchive/2011/04/21/windows-azure-access- control-services-federation-with- facebook.aspx  http://www.7388.info/index.php/article/studio/ 2011-07-29/20983.html  Robert Bogue  http://www.sharepointshepherd.com

Notes de l'éditeur

  1. This is all admin/IT pro stuff…
  2. Liam Cleary makes a good point about how anonymous access is one case where Authorization precedes Authentication.
  3. WS-Trust: how to request and receive security tokensWS-Federation: architecture for cleanseparation between trust mechanisms, security tokens formats, and the protocols for obtaining tokensSAML: XML vocabulary used to represent claims in an interoperable way
  4. Liam Cleary’s analogy of drivers licenses and vehicle registrations; police officers. HTTP 302 redirects. Can verify this with Fiddler.
  5. This is all admin/IT pro stuff…
  6. Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
  7. Can always go from Classic to Claims, can’t go back!!!
  8. Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.
  9. This is all admin/IT pro stuff…
  10. Here is where the devs get to do cool stuff!
  11. As you plan custom claims providers for use with People Picker in your SharePoint solution, consider the following questions:What will be the source of the values for the users and roles that will be displayed in People Picker query results?What claim data do you want to resolve in the Select People and Groups dialog box?You don’t necessarily need to go through the API or PowerShell, if you have a connection to an LDAP store or a BCS connection to your auth store. You can also map the properties yourself and leave it to the User Profile Synchronization service. That being said, if you’re dependent on BCS then you’ll also need to have SharePoint Enterprise Server license which isn’t available to all customers.Once you’re done you should be able to visit any of the users in your site collection and see their “Name” property set to something that is less likely to confuse your user base. Once the value is set, it helps to make sure that it doesn’t get stomped with any User Profile Synchronization (UPS) that may be in place in your farm.
  12. So basically the ticket was issued by ACS/upstream identity provider for 10 minutes, SharePoint checks it a millisecond later and says, wall this ticket expires in less time that my expiration window, so go get a new ticket from ACS.
  13. And, of course, always test testtest…