Developing Custom Claim Providers to Enable Authorization in SharePoint - Antonio Maio.
With the release of SharePoint 2010, Microsoft introduced the concepts of Claims Based Authentication and Authorization. SharePoint 2013 went a step further making Claims Based Authentication the default method for authenticating users when they login. Claims, and identities in general, are playing a bigger role in the security capabilities of systems like SharePoint, enabling us to solve some new and exciting security challenges. Typically we authorize the content that users have access to using SharePoint permissions, however authentication scenarios can be extended in new and interesting ways by developing a custom component called a Custom Claim Provider. This session will introduce the concepts of Claims Based Authentication and Authorization in SharePoint and provide step by step instructions on how to develop and deploy Custom Claim Providers. The session will also walk through several examples of how custom Claim Providers can enhance SharePoint security and authorization.
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Develop Custom Claim Providers
1. Developing Custom Claim Providers
to Enable Authorization in SharePoint
Antonio Maio
Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2
2. Agenda
Introduction: Claims in SharePoint 2013
Getting the Right Claims for Authorization
Developing a Custom Claim Provider
Example Claim Providers
Deployment and Final Considerations
4. Authentication vs Authorization
Authentication
Process of determining that a user is who they say
they are
Authorization
Process of determining resources a user has access
to and the level of access they are granted
5. Authentication Options
Claims Based Authentication (Default)
Forms Based Authentication
(FBA – thru Claims)
Classic Mode
Integrated Windows Authentication
NTLM
Kerberos
Basic Authentication
Only configurable through PowerShell
Classic Mode has been
deprecated!
Configuration UI has been removed
and is only available thru PowerShell.
6. Claims Based Identity
What is a Claim?
A statement that one subject makes about itself :
name, identity, group, privilege, capability, etc.
Examples: name, email, logon name, security groups,
employment status, security clearance, department, etc.
What is Claims Based Identity/Authentication
A standards based exchange and trust identities across networks
Trust is a key element – achieved through digital signatures
Claims are packaged in a standard format (SAML)…
issued and digitally signed by a trusted source (security token
service)…
and exchanged over a standard protocol (SAML)
7. Claims Based Authentication
Claims are an Authentication Mechanism
Based on SAML or WS-Federation (Passive) tokens
Supports WS-Fed
Supports SAML 2.0 token format, SAML 1.1 protocol
SharePoint Online
Supports SAML 2.0 protocol, WS-Fed (Passive)
Result: Authenticated User & Security Token
Built-in SharePoint Security Token Service (STS)
Integrated Windows Authentication
Forms Based Authentication
Trusted Identity Provider
External STS (Ex. Active Directory Federation Services – ADFS)
8. Claims Based Authentication
Configured within Central Administration on each Web Application
• In Central Admin > Click Manage Web Applications
• Select the specific Web Application
• Click Authentication Providers
• Select the Zone
• Select the authentication protocol
9. Claims as Permissions
Claims are also trusted attributes about users
Tokens are digitally signed by the issuer (IP-STS)
Claims can be assigned as permissions
With a permission level
Assign to sites, libraries, folders, items/documents
SharePoint applies permissions based on
claims
User with matching claim when they sign in, SharePoint grants
level of access to content
Behave like domain groups
10. SharePoint Permission Examples
Users, Groups or Claims
Finance (AD Group) has Full Control on Library A
Contractors (SP Group) has Read access on site B
John.Smith (AD user) has Contribute access on Document C
‘Clearance=Secret’ has Full Control access on Document X
‘EmploymentStatus=FTE’ has Contribute access on Site Z
User, Group, or Claim
(also called a ‘Principle’)
Permission Level
(collection of permissions)
Information Object
(item or container)
12. Claims Based Authorization
Specific to the user
Performed done without knowing who the user is
Dynamic – ex. changes in a user’s security clearance
Based on external systems (HR systems, SQL, etc.)
Alternative to security groups – Groups do not scale
Policy Example: user must be part of GroupA and
GroupB and GroupC to access a resources
13. What types of claims do we need?
Military, Intelligence, Government Defense
Security Clearance
Caveat
Need to Know
Commercial
Department or Team
Role
Current Date/Time, Current Device (BYOD)
Group Membership with multiple groups
Aerospace/Defense Contracting
Nationality + Current Location
Homeland Security
Agency (law enforcement, emergency response, public health…)
Scope or Level (local, state, federal)
Current Threat Level
14. Identity Provider (IP)
Claims Based Authentication
Process/Call Flow
SharePoint
2013
Active Directory
(AD DS)
Active Directory
Federation Services
(ADFS)
1
2
3
4
5
6
7
1 Request a web page
2 Obtain login page from
the ADFS server
3 Request a SAML security
token
4 Validate user credentials
with the identity provider
5 Send a SAML security
token
6 Send a new web page request
containing the SAML token
7 Create SharePoint security token
& send the requested web page Fed Auth
Cookie
Custom Claim Provider
Custom Claim Provider
…
Custom Claim Provider
<Claim>
<Claim>
<Claim>
ADFS Signing
Cert
Public Portion of
ADFS Signing
Cert
16. Custom Claim Providers
SharePoint farm level feature
Can deploy more than one
Called after user is authenticated
After Trusted Identity Provider has already returned
claims
Built on WIF (Windows Identity Framework)
Used to augment claims
Used to transform claims
Used to resolve/search claims in People Picker
17. Building a Custom Claim Provider
1. Add necessary References
Microsoft.SharePoint
Microsoft.IdentityModel
Browse to find it in Program FilesReference AssembliesMicrosoftWindows Identity Foundationv3.5Microsoft.IdentityModel.dll
2. Add necessary Using statements
using System;
using System.Xml;
using System.IO;
using System.ServiceModel.Channels;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration;
using Microsoft.SharePoint.Administration.Claims;
using Microsoft.SharePoint.WebControls;
3. Add a Class which inherits from SPClaimProvider
namespace SampleClaimProvider
{
public class ClearanceClaimProvider : SPClaimProvider
{
public ClearanceClaimProvider (string displayName) : base(displayName)
{
}
}
}
18. Building a Custom Claim Provider
4. Implement the Abstract class
Methods:
FillClaimTypes
FillClaimValueTypes
FillClaimsForEntity
FillEntityTypes
FillHierarchy
FillResolve(2 overrides)
FillSchema
FillSearch
Properties:
Name
SupportsEntityInformation
SupportsHierarchy
SupportsResolve
SupportsSearch
public class ClearanceClaimProvider:SPClaimProvider
{
}
Right click on SPClaimProvider and select…
19. Building a Custom Claim Provider
5. Implement Required Properties
public override string Name
{get { return ProviderInternalName; }}
public override bool SupportsEntityInformation
{get { return true; }}
public override bool SupportsHierarchy
{get { return true; }}
public override bool SupportsResolve
{get { return true; }}
public override bool SupportsSearch
{get { return true; }}
Must return True for
Claims Augmentation
Returns the Claim
Provider unique
name
Supports hierarchy
display in people
picker
Supports resolving
claim values
Supports search
operation
20. Building a Custom Claim Provider
6. Create Static Properties for Name
internal static string ProviderDisplayName
{
get { return “Security Clearance"; }
}
internal static string ProviderInternalName
{
get { return “SecurityClearanceProvider"; }
}
21. Building a Custom Claim Provider
7. Create Data Source and Helper Functions
private string[] SecurityLevels = new string[]
{ "None", "Confidential", "Secret", "Top Secret" };
private static string ClearanceClaimType
{
get { return "http://schemas.sample.local/clearance"; }
}
private static string ClearanceClaimValueType
{
get { return Microsoft.IdentityModel.Claims.ClaimValueTypes.String;}
}
• Adding a claim with type URL http://schemas.sample.local/clearance and the
claim’s value is a string
22. Building a Custom Claim Provider
8. Implement Methods to Augment Claims
FillClaimTypes
FillClaimValueTypes
FillClaimsForEntity
protected override void FillClaimTypes(List<string> claimTypes)
{
if (claimTypes == null)
throw new ArgumentNullException("claimTypes");
claimTypes.Add(ClearanceClaimType);
}
protected override void FillClaimValueTypes(List<string> claimValueTypes)
{
if (claimValueTypes == null)
throw new ArgumentNullException("claimValueTypes");
claimValueTypes.Add(ClearanceClaimValueType);
}
23. 9. Implement FillClaimsForEntity to augment claims
protected override void FillClaimsForEntity(Uri context, SPClaim entity, List<SPClaim> claims)
{
if (entity == null)
throw new ArgumentNullException("entity");
if (claims == null)
throw new ArgumentNullException("claims");
if (String.IsNullOrEmpty(entity.Value))
throw new ArgumentException("Argument null or empty",
"entity.Value");
//if existing Clearance claim is ‘top secret’ then add lower levels clearances
if (. . .)
{
claims.Add(CreateClaim(ClearanceClaimType, SecurityLevels[0],
ClearanceClaimValueType));
claims.Add(CreateClaim(ClearanceClaimType, SecurityLevels[1],
ClearanceClaimValueType));
claims.Add(CreateClaim(ClearanceClaimType, SecurityLevels[2],
ClearanceClaimValueType));
}
. . .
}
Building a Custom Claim Provider
24. Customizing the People Picker
FillEntityTypes
Set of possible claims to display in the people picker
FillHierarchy
Hierarchy for displaying claims in the people picker
FillResolve(2 overrides)
Resolving claims specified in the people picker
FillSchema
Specifies the schema that is used by people picker to
display claims/entity data
FillSearch
Fills in search results in people picker window
Other Important Methods: Replacing the People Picker
25. Using Claims for Authorization
You will assign claims as permissions either
Through People Picker
Programmatically through code
In both cases you must implement
FillEntityTypes
FillHierarchy
FillResolve(2 overrides)
FillSchema
FillSearch
…or the augmented claims will not be available to you!
26. Using Claims for Authorization
FillEntityTypes
protected override void FillEntityTypes(List<string> entityTypes)
{
//Return the type of entity claim we are using
entityTypes.Add(SPClaimEntityTypes.FormsRole);
}
27. Using Claims for Authorization
FillHierarchy
protected override void FillHierarchy(Uri context, string[] entityTypes,
string hierarchyNodeID, int numberOfLevels, SPProviderHierarchyTree hierarchy)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
switch (hierarchyNodeID)
{
case null: // when it 1st loads, add all our nodes
hierarchy.AddChild(new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName,
“SecurityClearance”, “Security Clearance”, true));
break;
default:
break;
}
}
hierarchy.AddChild(new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName,
“Caveat”, “Caveat”, true));
28. Using Claims for Authorization
FillResolve (1st override)
protected override void FillResolve(Uri context, string[] entityTypes,
SPClaim resolveInput, List<PickerEntity> resolved)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(resolveInput.ClaimType, resolveInput.Value);
resolved.Add(pe);
}
29. Using Claims for Authorization
FillResolve (2nd override)
protected override void FillResolve(Uri context, string[] entityTypes,
string resolveInput, List<PickerEntity> resolved)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
//create a matching entity and add it to the return list of picker entries
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(ClearanceClaimType, resolveInput);
resolved.Add(pe);
pe = GetPickerEntity(CaveatClaimType, resolveInput);
resolved.Add(pe);
30. Using Claims for Authorization
GetPickerEntity
private Microsoft.SharePoint.WebControls.PickerEntity GetPickerEntity
(string ClaimType, string ClaimValue)
{
Microsoft.SharePoint.WebControls.PickerEntity pe = CreatePickerEntity();
// set the claim associated with this match & tooltip displayed
pe.Claim = CreateClaim(ClaimType, ClaimValue, ClaimValueType);
pe.Description = SecurityClearance.ProviderDisplayName + ":" + ClaimValue;
// Set the text displayed in people picker
pe.DisplayText = ClaimValue;
// Store in hash table, plug in as a role type entity & flag as resolved
pe.EntityData[Microsoft.SharePoint.WebControls.PeopleEditorEntityDataKeys.
DisplayName] = ClaimValue;
pe.EntityType = SPClaimEntityTypes.FormsRole;
pe.IsResolved = true;
pe.EntityGroupName = "Additional Claims";
return pe;
}
31. Using Claims for Authorization
FillSchema
protected override void FillSchema(SPProviderSchema schema)
{
schema.AddSchemaElement(new Microsoft.SharePoint.WebControls.SPSchemaElement(
Microsoft.SharePoint.WebControls.PeopleEditorEntityDataKeys.DisplayName,
"Display Name", Microsoft.SharePoint.WebControls.SPSchemaElementType.Both));
}
32. Using Claims for Authorization
FillSearch
protected override void FillSearch(Uri context, string[] entityTypes,
string searchPattern, string hierarchyNodeID,int maxCount,
SPProviderHierarchyTree searchTree)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
// The node where we will place our matches
Microsoft.SharePoint.WebControls.SPProviderHierarchyNode matchNode = null;
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(ClearanceClaimType, searchPattern);
if (!searchTree.HasChild(“SecurityClearance”))
{ // create the node so that we can show our match in there too
matchNode = new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName, “Security Clearance”,
“SecurityClearance”, true);
searchTree.AddChild(matchNode);
}
else
33. Using Claims for Authorization
FillSearch
protected override void FillSearch(Uri context, string[] entityTypes,
string searchPattern, string hierarchyNodeID,int maxCount,
SPProviderHierarchyTree searchTree)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
// The node where we will place our matches
Microsoft.SharePoint.WebControls.SPProviderHierarchyNode matchNode = null;
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(ClearanceClaimType, searchPattern);
if (!searchTree.HasChild(“SecurityClearance”))
{ // create the node so that we can show our match in there too
matchNode = new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName, “Security Clearance”,
“SecurityClearance”, true);
searchTree.AddChild(matchNode);
}
else
{
// get the node for this security level
matchNode = searchTree.Children.Where(theNode => theNode.HierarchyNodeID
== “SecurityClearance”).First();
}
// add the picker entity to our tree node
matchNode.AddEntity(pe);
}
35. Claim Provider Examples
Example 1: Access sensitive information only during
work hours
protected override void FillClaimsForEntity(Uri context, SPClaim entity,
List<SPClaim> claims)
{
. . .
DateTime now = DateTime.Now;
if((now.DayOfWeek == DayOfWeek.Saturday)||(now.DayOfWeek == DayOfWeek.Sunday))
{
claims.Add(CreateClaim(WorkDayClaimType,”false”, WorkDayClaimValueType));
return;
}
//9 o'clock AM
DateTime start = new DateTime(now.Year, now.Month, now.Day, 9, 0, 0));
//5 o'clock PM
DateTime end = new DateTime(now.Year, now.Month, now.Day, 17, 0, 0));
if ((now < start) || (now > end))
{
claims.Add(CreateClaim(WorkDayClaimType,”false”, WorkDayClaimValueType));
return;
}
claims.Add(CreateClaim(WorkDayClaimType, ”true”, WorkDayClaimValueType));
}
36. Claim Provider Examples
Example 2: Information Release Dates for
Mergers and Acquisitions
Create a SharePoint list: release dates registered for each acquisition –
name it ‘Acquisition Release Register’
List item specifies: acquisition project name, release date
Document library holding acquisition documents: add a ‘lookup’
metadata column pointing to ‘Acquisition Release Register’
With every document added user selects a release entry from the Acquisition Release
Register
Use 3rd party tools or code to add a claim based permission to the item that matches
the metadata column value (project name)
Custom claim provider uses SQL DB to retrieve all entries for Acquisition
Release Register
Custom claim provider compares current date to entries in Acquisition
Release Register
If now is later than release date then add project name to user’s claims
If user has claim in their identity matching acquisition project name,
then they get access to the acquisition documents
38. Deploying Custom Claim Provider
Deployed as a Farm Level Feature Receiver –
requires more code
Must inherit from SPClaimProviderFeatureReceiver (lots
of examples)
Can deploy multiple claim providers
Called in order of deployment
Once deployed - Available in every web app, in very
zone
Can cause performance issues
When user logs in, all Custom Claim Providers deployed get
called
Set IsUsedByDefault property in Feature Receiver Def'n to
False, then turn it on manually for required web apps
39. Some Final Considerations
Reach out to SQL database, LDAP, Repository for attributes
which will get added as claims
Custom Claim Provider running in the context of the web
application, and not the site the user is logging into
Logged in as the Central Admin Service Account
Do not have context
(Most methods have no HTTP Context nor SPContext.Current)
Cannot directly access data on the Site you signed into
For Debugging use a Claims Testing Web Part in SharePoint:
http://blogs.technet.com/b/speschka/archive/2010/02/13/figuring-
out-what-claims-you-have-in-sharepoint-2010.aspx
40. Developing Custom Claim Providers
to Enable Authorization
Antonio Maio
Senior SharePoint Architect & Senior Manager
Microsoft SharePoint Server MVP
Email: Antonio.maio@protiviti.com
Blog: www.trustsharepoint.com
Slide share: http://www.slideshare.net/AntonioMaio2
Twitter: @AntonioMaio2
Thank You!
41. Appendix: PowerShell to Register Trusted
Provider & Map Claim Types
# Make sure the claim types are properly defined in the ADFS server
$map = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -
IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName
"Role" -SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.sp.local/EmployeeStatus" -
IncomingClaimTypeDisplayName "EmployeeStatus" -SameAsIncoming
# The realm will identify the web app in ADFS. It is generally created in the form "urn:foo:bar"
$realm = "urn:sp-server-2010.sp.local:sharepoint2010"
# Use the certificate that has been exported from the ADFS server
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("c:adfs20Certificate.cer")
# The url below will tell SharePoint where to redirect to in order to authenticate with the STS
# so this should have the ADFS url, plus the protocol (Windows integrated security - "/adfs/ls")
$signinurl = "https://adfs20.sp.local/adfs/ls"
# Adds the STS (AD FS 2.0) to SharePoint
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20 Provider" -Description "SharePoint secured by
ADFS20" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3 -SignInUrl
$signinurl -IdentifierClaim $map.InputClaimType
# The certificate imported from the ADFS should be added to the trusted store
New-SPTrustedRootAuthority -Name "ADFS Token Signing Root Authority" -Certificate $cert
42. Appendix: Claims Viewer Web Part
Add the claim viewer web part to your site pages when
testing custom claim providers: