11. Options for Retrieving/Managing
Claims
Claim Rule
Format: SAML/WS-Fed 4. Authenticates
user & creates
Claim Rule
Token with token
…
Claims 3. Get info
(claims) about
user
5. User is
authenticated and
SharePoint 2010 now
iAttributeStore …
has user’s claims Secure Token Server Database or
2. Requests (STS) Directory
authentication & EX. Active Directory Ex. Active Directory
SharePoint token Federation Services
(ADFS version 2.0)
2010 Custom Claim Provider
Custom Claim Provider Trusted Identity Provider
…
1. User login
(with username & Client System
password) Ex. web browser
SQL DB,
LDAP, PKI
etc…
12. Focus: Custom Claim Providers
SharePoint
2010 Custom Claim Provider
Custom Claim Provider
…
Active Directory
1. User login
(with username & Client System
password) Ex. web browser
13.
14.
15. Microsoft.SharePoint
Microsoft.IdentityModel
Browse to find it in Program FilesReference AssembliesMicrosoftWindows Identity
Foundationv3.5Microsoft.IdentityModel.dll
using System;
using System.Xml;
using System.IO;
using System.ServiceModel.Channels;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration;
using Microsoft.SharePoint.Administration.Claims;
using Microsoft.SharePoint.WebControls;
namespace SampleClaimProvider
{
public class ClearanceClaimProvider : SPClaimProvider
{
public ClearanceClaimProvider (string displayName)
: base(displayName)
{
}
}
}
16. 4. Implement the Abstract class
Methods: public class ClearanceClaimProvider:SPClaimProvider
FillClaimTypes {
}
FillClaimValueTypes
FillClaimsForEntity Right click on SPClaimProvider and select…
FillEntityTypes
FillHierarchy
FillResolve(2 overrides)
FillSchema
FillSearch
Properties:
Name
SupportsEntityInformation
SupportsHierarchy
SupportsResolve
SupportsSearch
17. Returns the
public override string Name Claim Provider
{get { return ProviderInternalName; }} unique name
public override bool SupportsEntityInformation Must return True
{get { return true; }} for Claims
Augmentation
public override bool SupportsHierarchy Supports hierarchy
{get { return true; }} display in people
picker
public override bool SupportsResolve
{get { return true; }}
Supports resolving
claim values
public override bool SupportsSearch
{get { return true; }} Supports search
operation
19. private string[] SecurityLevels new string[]
{ None Confidential Secret Top Secret };
private static string ClearanceClaimType
{
get { return "http://schemas.sample.local/clearance"; }
}
private static string ClearanceClaimValueType
{
get { return Microsoft.IdentityModel.Claims.ClaimValueTypes.String;}
}
• Adding a claim with type URL http://schemas.sample.local/clearance
and the claim’s value is a string
20. FillClaimTypes
FillClaimValueTypes
FillClaimsForEntity
protected override void FillClaimTypes(List<string> claimTypes)
{
if (claimTypes == null)
throw new ArgumentNullException("claimTypes");
claimTypes.Add(ClearanceClaimType);
}
protected override void FillClaimValueTypes(List<string>
claimValueTypes)
{
if (claimValueTypes == null
throw new ArgumentNullException("claimValueTypes");
claimValueTypes.Add(ClearanceClaimValueType);
}
21. FillClaimsForEntity
protected override void FillClaimsForEntity(Uri context, SPClaim entity,
List<SPClaim> claims)
{
if (entity == null)
throw new ArgumentNullException("entity");
if (claims == null)
throw new ArgumentNullException("claims");
if (String.IsNullOrEmpty(entity.Value))
throw new ArgumentException("Argument null or empty",
"entity.Value");
//if existing Clearance claim is „top secret‟ then add lower levels
clearances
if (. . .)
{
claims.Add(CreateClaim(ClearanceClaimType, SecurityLevels[0],
ClearanceClaimValueType));
claims.Add(CreateClaim(ClearanceClaimType, SecurityLevels[1],
ClearanceClaimValueType));
claims.Add(CreateClaim(ClearanceClaimType, SecurityLevels[2],
ClearanceClaimValueType));
}
. . .
}
22. Other Important Methods: Replacing the People Picker
FillEntityTypes
Set of possible claims to display in the people picker
FillHierarchy
Hierarchy for displaying claims in the people picker
FillResolve(2 overrides)
Resolving claims specified in the people picker
FillSchema
Specifies the schema that is used by people picker to
display claims/entity data
FillSearch
Fills in search results in people picker window
24. protected override void FillEntityTypes(List<string> entityTypes)
{
//Return the type of entity claim we are using
entityTypes.Add(SPClaimEntityTypes.FormsRole);
}
25. protected override void FillHierarchy(Uri context, string[] entityTypes,
string hierarchyNodeID, int numberOfLevels, SPProviderHierarchyTree hierarchy)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
switch (hierarchyNodeID)
{
case null: // when it 1st loads, add all our nodes
hierarchy.AddChild(new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName,
“SecurityClearance”, “Security Clearance”, true));
hierarchy.AddChild(new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName,
“Caveat”, “Caveat”, true));
break;
default:
break;
}
}
27. protected override void FillResolve(Uri context, string[] entityTypes,
string resolveInput, List<PickerEntity> resolved)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
//create a matching entity and add it to the return list of picker entries
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(ClearanceClaimType, resolveInput);
resolved.Add(pe);
pe = GetPickerEntity(CaveatClaimType, resolveInput);
resolved.Add(pe);
}
28. private Microsoft.SharePoint.WebControls.PickerEntity GetPickerEntity
(string ClaimType, string ClaimValue)
{
Microsoft.SharePoint.WebControls.PickerEntity pe = CreatePickerEntity();
// set the claim associated with this match & tooltip displayed
pe.Claim = CreateClaim(ClaimType, ClaimValue, ClaimValueType);
pe.Description = SecurityClearance.ProviderDisplayName + ":" + ClaimValue;
// Set the text displayed in people picker
pe.DisplayText = ClaimValue;
// Store in hash table, plug in as a role type entity & flag as resolved
pe.EntityData[Microsoft.SharePoint.WebControls.PeopleEditorEntityDataKeys.
DisplayName] = ClaimValue;
pe.EntityType = SPClaimEntityTypes.FormsRole;
pe.IsResolved = true;
pe.EntityGroupName = "Additional Claims";
return pe;
}
30. protected override void FillSearch(Uri context, string[] entityTypes,
string searchPattern, string hierarchyNodeID,int maxCount,
SPProviderHierarchyTree searchTree)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
// The node where we will place our matches
Microsoft.SharePoint.WebControls.SPProviderHierarchyNode matchNode = null;
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(ClearanceClaimType, searchPattern);
if (!searchTree.HasChild(“SecurityClearance”))
{ // create the node so that we can show our match in there too
matchNode = new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName, “Security Clearance”,
“SecurityClearance”, true);
searchTree.AddChild(matchNode);
}
else
{
// get the node for this security level
matchNode = searchTree.Children.Where(theNode => theNode.HierarchyNodeID
== “SecurityClearance”).First();
}
// add the picker entity to our tree node
matchNode.AddEntity(pe);
}
31. protected override void FillSearch(Uri context, string[] entityTypes,
string searchPattern, string hierarchyNodeID,int maxCount,
SPProviderHierarchyTree searchTree)
{
if (!EntityTypesContain(entityTypes, SPClaimEntityTypes.FormsRole))
return;
// The node where we will place our matches
Microsoft.SharePoint.WebControls.SPProviderHierarchyNode matchNode = null;
Microsoft.SharePoint.WebControls.PickerEntity pe = GetPickerEntity
(ClearanceClaimType, searchPattern);
if (!searchTree.HasChild(“SecurityClearance”))
{ // create the node so that we can show our match in there too
matchNode = new Microsoft.SharePoint.WebControls.SPProviderHierarchyNode
(SecurityClearance.ProviderInternalName, “Security Clearance”,
“SecurityClearance”, true);
searchTree.AddChild(matchNode);
}
else
{
// get the node for this security level
matchNode = searchTree.Children.Where(theNode => theNode.HierarchyNodeID
== “SecurityClearance”).First();
}
// add the picker entity to our tree node
matchNode.AddEntity(pe);
}
37. Deployed as a Farm Level Feature Receiver – requires more code
Must inherit from SPClaimProviderFeatureReceiver (lots of examples)
Can deploy multiple claim providers
Called in order of deployment
Once deployed - Available in every web app, in very zone
Can cause performance issues
When user logs in, all Custom Claim Providers deployed get called
Set IsUsedByDefault property in Feature Receiver Def'n to False;
then turn it on manually for required web apps
38. Reach out to SQL database, LDAP, Repository for attributes
which will get added as claims
Custom Claim Provider running in the context of the web
application, and not the site the user is logging into
Logged in as the Central Admin Service Account
Do not have context
(Most methods have no HTTP Context nor SPContext.Current)
Cannot directly access data on the Site you signed into
For Debugging use a Claims Testing Web Part in SharePoint:
http://blogs.technet.com/b/speschka/archive/2010/02/13/figuring-out-
what-claims-you-have-in-sharepoint-2010.aspx
40. REGISTER NOW!
www.sharepointconference.com
Join us in Las
Vegas for
SharePoint
Don’t miss this Engage with
the
Conference opportunity to community
2012!
join us in Las
Give yourself a Vegas at the
competitive edge Mandalay Bay Share
insights
and get the inside
scoop about
November 12-15
'SharePoint 15' while Learn about
learning how to what’s coming
next, from the
better use people who
built the
SharePoint 2010 product
Notes de l'éditeur
We’re adding a claim with a name of http://schemas.sample.local/clearance and the value in that claim is a string