2. Edin Kapić
• SharePoint Senior
Architect & Team Lead
in Sogeti, Barcelona
• President of SharePoint
User Group Catalonia
(SUG.CAT)
• Writer at Pluralsight
• SharePoint Server Office
Servers and Services
MVP
• Tinker & geek
Email : mail@edinkapic.com
Twitter : @ekapic
LinkedIn : edinkapic
5. SharePoint Authentication
• SharePoint doesn’t
authenticate by itself
• It keeps user details in the
user profile database and
user information lists in each
site collection
7. SharePoint 2013 Authentication
Options
• “Classic” Windows
– Deprecated
• Claims-based
– Windows tokens
– FBA
– SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser
8. App Add-In Authentication
• Add-ins have identity and can be assigned permissions
– Add-ins are principals, together with users and groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate
– Low-trust add-ins use 3-legged OAuth (with ACS broker)
– High-trust add-ins use self-signed tokens
9. Claims (Ansprüche)
• A claim is a piece of your identity, claimed by some authority
• Claims are received upon presenting credentials to a claims
provider
• Claims providers are trusted
• Examples
– Employee badge
• Name, department, clearance
– Boarding passes
• Flight, seat, class, name
– Paper Wristbands
• Ticket type, extra services
11. SharePoint Claims
Claim Type Claim Value Issuer Original Issuer
http://schemas.xmlsoap.o
rg/ws/2005/05/identity/cl
aims/nameidentifier
demoekapic SharePoint SharePoint
http://schemas.xmlsoap.o
rg/ws/2008/06/identity/cl
aims/primarysid
S-1-5-21-4067827123-
213488314-8760374-
513
SharePoint Windows
http://schemas.xmlsoap.o
rg/ws/2005/05identity/cla
ims/upn
ekapic@demo.local SharePoint Windows
http://schemas.microsoft.
com/sharepoint/2009/08/
claims/userid
0#.w|demoekapic SharePoint SecurityTokenService
12. Claims Authentication
• SharePoint augments and transforms the incoming
claims to a normalized claims identity
• Can be done by more than one claims provider
• Decouples the authentication method from the user
identity
• For Windows incoming claims, there is a C2WTS
(Claims to Windows Token Service) inside SharePoint
2013 to allow converting claims back into Windows
identities
13. Claims Format
Claim Claim Parts
i:0#.w|spdemoedin • •“i” for an identity claim
• •“#” for the user logon name format for the claim
value
• •“.” for a string
• •“w” for Windows claims
• •“spdemoedin” for the identity claim value (the
Windows account name)
i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim
• •“e” for the UPN property of the claim value
• •“.” for a string
• •“t” for a trusted issuer
• •“adfs” identifies the original issuer of the identity
claim
• •“edin@spdemo.local” for the identity claim value
http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx
<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>
|<OriginalIssuer (optional)>
|<ClaimValue>
14. Claims Authorization
• Any claim can be used as
a security principal in
SharePoint
• Flexible alternative to
security groups
• Claims can be surfaced
by the identity token
service or custom claims
provider in People Picker
15. Claim Providers
• Augment and surface the claims for People Picker
• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class
• But, take care about thread safety:
http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom-
claims-providers.aspx
16. Claims Augmentation and
Surfacing
Desired claim provider feature Implements
Claims augmentation FillClaimsForEntity
SupportsEntityInformation
Claims surfacing in People Picker FillSchema
FillClaimTypes
FillClaimValueTypes
FillEntityTypes
Claims hierarchy in People Picker left side FillHierarchy
SupportsHierarchy
Resolving typed claims in People Picker FillResolve
SupportsResolve
Searching for claims in People Picker FillSearch
SupportsSearch
18. Federated Authentication
• When the identity provider (IdP) is distinct from
Windows (or FBA), we have federated authentication
• Third-party Secure Token Service (STS) issues a security
token with claims
• This token is trusted by “clients” (Relying Parties, RP) as
the STS is trusted by them
• Tokens are digitally signed to prevent tampering
20. Federated Identity Providers
• Microsoft Active Directory
Federation Services (ADFS)
• Microsoft Azure Active
Directory
• Thinktecture IdentityServer
• Shibboleth
• IBM Federated Identity
Manager
• ...
21. Active Directory Federation
Services (ADFS)
• Part of Windows
Server features
• Can transform AD
into a federated IdP
• Doesn’t manage
users directly, but
claims, identity
providers and relying
parties
22. Azure Active Directory (AAD)
• “AD and ADFS in the cloud”
• Part of Azure / Office 365
offering
• Underpins the most of the
Office 365 / Azure hybrid
architectures
25. Summary
• Claims-based identity and authorization are the only
way forward, so make sure that you understand them
well
• You can decouple user authentication from the user
identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else
26. Additional Tools
• LDAP/AD Claims Provider
– Surfaces users from ADFS / AD into claims-enabled People Picker
• https://ldapcp.codeplex.com/
27. Additional Tools
• SharePoint Identity Service
– Service application for SharePoint
• https://spidentityservice.codeplex.com/
28. Further Reading
• Steve Peschka’s blog https://samlman.wordpress.com
• Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control
https://msdn.microsoft.com/en-
us/library/ff423674.aspx