SlideShare une entreprise Scribd logo

Extending Authentication and Authorization

Télécharger en tant que PPTX, PDF
Edin Kapic
Edin Kapic

Slides from my talk at SharePoint Konferenz 2016

Technologie
1  sur  31
Silber-Partner: Veranstalter: Extending Authentication and Authorization Edin Kapić
Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
Agenda • SharePoint, Authentication and Authorization • Claims – Claims-based Authentication – Claims-based Authorization – Claims Augmentation and Transformation – Claims Providers • Federated Authentication
SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization Authentifizierung Autorisierung
SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
SharePoint Authorization • Associated with principals – Authenticated users – Groups (SharePoint or AD) – Claims – App Add-in identities
SharePoint 2013 Authentication Options • “Classic” Windows – Deprecated • Claims-based – Windows tokens – FBA – SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
App Add-In Authentication • Add-ins have identity and can be assigned permissions – Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate – Low-trust add-ins use 3-legged OAuth (with ACS broker) – High-trust add-ins use self-signed tokens
Claims (Ansprüche) • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples – Employee badge • Name, department, clearance – Boarding passes • Flight, seat, class, name – Paper Wristbands • Ticket type, extra services
Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.o rg/ws/2005/05/identity/cl aims/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.o rg/ws/2008/06/identity/cl aims/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.o rg/ws/2005/05identity/cla ims/upn ekapic@demo.local SharePoint Windows http://schemas.microsoft. com/sharepoint/2009/08/ claims/userid 0#.w|demoekapic SharePoint SecurityTokenService
Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
Claims Format Claim Claim Parts i:0#.w|spdemoedin • •“i” for an identity claim • •“#” for the user logon name format for the claim value • •“.” for a string • •“w” for Windows claims • •“spdemoedin” for the identity claim value (the Windows account name) i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim • •“e” for the UPN property of the claim value • •“.” for a string • •“t” for a trusted issuer • •“adfs” identifies the original issuer of the identity claim • •“edin@spdemo.local” for the identity claim value http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx <IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode> |<OriginalIssuer (optional)> |<ClaimValue>
Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class • But, take care about thread safety: http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom- claims-providers.aspx
Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
DEMO Custom Claim Provider
Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed to prevent tampering
Federated Authentication • ID cards or passports are real- world examples of federated authentication
Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
DEMO Federated Authentication with ADFS
Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
Additional Tools • LDAP/AD Claims Provider – Surfaces users from ADFS / AD into claims-enabled People Picker • https://ldapcp.codeplex.com/
Additional Tools • SharePoint Identity Service – Service application for SharePoint • https://spidentityservice.codeplex.com/
Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en- us/library/ff423674.aspx
FRAGEN?
Ich freue mich auf Ihr Feedback!
Silber-Partner: Veranstalter: Vielen Dank! Edin Kapić

Recommandé

High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
SPS London 2015 - IoT and Room Reservation Cloud-Style
SPS London 2015 - IoT and Room Reservation Cloud-StyleSPS London 2015 - IoT and Room Reservation Cloud-Style
SPS London 2015 - IoT and Room Reservation Cloud-Style
Edin Kapic
 
Office 365 api vs share point app model
Office 365 api vs share point app modelOffice 365 api vs share point app model
Office 365 api vs share point app model
BIWUG
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
Kashif Imran
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
Thorbjørn Værp
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
Phuong Nguyen
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
Dinusha Kumarasiri
 

Recommandé

High-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises DevelopmentHigh-Trust Add-Ins SharePoint for On-Premises Development
High-Trust Add-Ins SharePoint for On-Premises Development
Edin Kapic
 
SPS London 2015 - IoT and Room Reservation Cloud-Style
SPS London 2015 - IoT and Room Reservation Cloud-StyleSPS London 2015 - IoT and Room Reservation Cloud-Style
SPS London 2015 - IoT and Room Reservation Cloud-Style
Edin Kapic
 
Office 365 api vs share point app model
Office 365 api vs share point app modelOffice 365 api vs share point app model
Office 365 api vs share point app model
BIWUG
 
SPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises DevelopmentSPS Belgium 2015 - High-trust Apps for On-Premises Development
SPS Belgium 2015 - High-trust Apps for On-Premises Development
Edin Kapic
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
Kashif Imran
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
Thorbjørn Værp
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners Guide
Phuong Nguyen
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
Dinusha Kumarasiri
 
The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
Anton Staykov
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Chris Gillum
 
SharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSharePoint 2013 APIs demystified
SharePoint 2013 APIs demystified
SPC Adriatics
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2C
John Garland
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
James Tramel
 
DevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easyDevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easy
Sjoukje Zaal
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
Sjoukje Zaal
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
NCCOMMS
 
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easyIntelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Sjoukje Zaal
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
Manoj Mittal
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
Identity Management in SharePoint 2013
Identity Management in SharePoint 2013Identity Management in SharePoint 2013
Identity Management in SharePoint 2013
SPC Adriatics
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
Azure B2C
Azure B2CAzure B2C
Azure B2C
Marco De Sanctis
 
Azure Saturday: External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2BAzure Saturday: External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2B
Sjoukje Zaal
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
Natallia Makarevich
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
Corey Roth
 
ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and Authorization
Edin Kapic
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision IT
 

Contenu connexe

Tendances

DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2C
John Garland
 

Tendances (19)

The bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2CThe bits and pieces of Azure AD B2C
The bits and pieces of Azure AD B2C
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
 
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
Easy Auth Overview - Tokyo Azure Meetup - Feb 2018
 
SharePoint 2013 APIs demystified
SharePoint 2013 APIs demystifiedSharePoint 2013 APIs demystified
SharePoint 2013 APIs demystified
 
A Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2CA Developer's Introduction to Azure Active Directory B2C
A Developer's Introduction to Azure Active Directory B2C
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
Oauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted appsOauth and SharePoint 2013 Provider Hosted apps
Oauth and SharePoint 2013 Provider Hosted apps
 
DevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easyDevSum: Azure AD B2C Application security made easy
DevSum: Azure AD B2C Application security made easy
 
Dear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2BDear Azure: External collaboration with Azure AD B2B
Dear Azure: External collaboration with Azure AD B2B
 
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje ZaalO365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
O365Con18 - External Collaboration with Azure B2B - Sjoukje Zaal
 
Intelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easyIntelligent Cloud Conference: Azure AD B2C Application security made easy
Intelligent Cloud Conference: Azure AD B2C Application security made easy
 
Microsoft identity manoj mittal
Microsoft identity manoj mittalMicrosoft identity manoj mittal
Microsoft identity manoj mittal
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
 
Identity Management in SharePoint 2013
Identity Management in SharePoint 2013Identity Management in SharePoint 2013
Identity Management in SharePoint 2013
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
 
Azure B2C
Azure B2CAzure B2C
Azure B2C
 
Azure Saturday: External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2BAzure Saturday: External Collaboration With Azure AD B2B
Azure Saturday: External Collaboration With Azure AD B2B
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 

Similaire à Extending Authentication and Authorization

Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
Morgan Simonsen
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010
Jonathan Schultz
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
Liam Cleary [MVP]
 

Similaire à Extending Authentication and Authorization (20)

ESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and AuthorizationESPC15 - Extending Authentication and Authorization
ESPC15 - Extending Authentication and Authorization
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
SharePoint Saturday Utah - Do you claim to be from the Azure Sky?
 
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365Envision it SharePoint Extranet Webinar Series - Federation and Office 365
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020Microsoft Teams community call - February 2020
Microsoft Teams community call - February 2020
 
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
 
Introduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2CIntroduction to Azure AD and Azure AD B2C
Introduction to Azure AD and Azure AD B2C
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas VochtenO365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
 
Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010Claims Based Authentication in SharePoint 2010
Claims Based Authentication in SharePoint 2010
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
Spsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises developmentSpsbe15 high-trust apps for on-premises development
Spsbe15 high-trust apps for on-premises development
 
SPSBE 2013 Claims for devs
SPSBE 2013 Claims for devsSPSBE 2013 Claims for devs
SPSBE 2013 Claims for devs
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ..."Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
"Secure Mobile Apps with the Microsoft Identity Platform", Christos Matskas, ...
 

Plus de Edin Kapic

BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!
Edin Kapic
 
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
Edin Kapic
 

Plus de Edin Kapic (19)

Rx la joya oculta de Net
Rx la joya oculta de NetRx la joya oculta de Net
Rx la joya oculta de Net
 
Personal Branding for Developers
Personal Branding for DevelopersPersonal Branding for Developers
Personal Branding for Developers
 
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
SharePoint Saturday Stockholm 2015 - Building Maintainable and Testable Share...
 
ESPC14 Social Business Value Demystified
ESPC14 Social Business Value DemystifiedESPC14 Social Business Value Demystified
ESPC14 Social Business Value Demystified
 
Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014Maintainable Testable SharePoint Components SPSBE 2014
Maintainable Testable SharePoint Components SPSBE 2014
 
MVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human BehaviourMVP Open Day 2014 - Hacking Human Behaviour
MVP Open Day 2014 - Hacking Human Behaviour
 
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 AppSPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
SPS Stockholm 7 Key Things for Building a Highly-Scalable SharePoint 2013 App
 
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App7 Key Things for Building a Highly-Scalable SharePoint 2013 App
7 Key Things for Building a Highly-Scalable SharePoint 2013 App
 
Social Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World ExperiencesSocial Business Value Demystified: Real-World Experiences
Social Business Value Demystified: Real-World Experiences
 
BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!BcnDevCon13 - No Designer? No Problem!
BcnDevCon13 - No Designer? No Problem!
 
BcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMSBcnDevCon12 - Una vuelta por Orchard CMS
BcnDevCon12 - Una vuelta por Orchard CMS
 
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitectoBcnDevCon12 - CQRS explicado a mi compañero arquitecto
BcnDevCon12 - CQRS explicado a mi compañero arquitecto
 
Modelos de madurez de SharePoint
Modelos de madurez de SharePointModelos de madurez de SharePoint
Modelos de madurez de SharePoint
 
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
SharePoint 2013 Novedades y más allá (Introducción de SUG.CAT)
 
SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012SUG.CAT First Monday Noviembre 2012
SUG.CAT First Monday Noviembre 2012
 
JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#JavaScript per a desenvolupadors de C#
JavaScript per a desenvolupadors de C#
 
CatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePointCatDotNet - Farmville para SharePoint
CatDotNet - Farmville para SharePoint
 
Universidad de La Habana - SharePoint, Listas y XSLT
Universidad de La Habana - SharePoint, Listas y XSLTUniversidad de La Habana - SharePoint, Listas y XSLT
Universidad de La Habana - SharePoint, Listas y XSLT
 
SharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developereSharePoint kao razvojna platforma za ASP.NET developere
SharePoint kao razvojna platforma za ASP.NET developere
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Extending Authentication and Authorization

  • 2. Edin Kapić • SharePoint Senior Architect & Team Lead in Sogeti, Barcelona • President of SharePoint User Group Catalonia (SUG.CAT) • Writer at Pluralsight • SharePoint Server Office Servers and Services MVP • Tinker & geek Email : mail@edinkapic.com Twitter : @ekapic LinkedIn : edinkapic
  • 3. Agenda • SharePoint, Authentication and Authorization • Claims – Claims-based Authentication – Claims-based Authorization – Claims Augmentation and Transformation – Claims Providers • Federated Authentication
  • 4. SharePoint, Authentication & Authorization SharePoint Web App Authentication Provider SPUser Site Collection Site SPRoleAssignment Authentication Authorization Authentifizierung Autorisierung
  • 5. SharePoint Authentication • SharePoint doesn’t authenticate by itself • It keeps user details in the user profile database and user information lists in each site collection
  • 6. SharePoint Authorization • Associated with principals – Authenticated users – Groups (SharePoint or AD) – Claims – App Add-in identities
  • 7. SharePoint 2013 Authentication Options • “Classic” Windows – Deprecated • Claims-based – Windows tokens – FBA – SAML 1.1 Windows NTLM Token Windows NTLM Token FBA User SAML 1.1 Token SAML Token SPUser
  • 8. App Add-In Authentication • Add-ins have identity and can be assigned permissions – Add-ins are principals, together with users and groups • Add-in identity vs User identity • Add-ins use OAuth to authenticate – Low-trust add-ins use 3-legged OAuth (with ACS broker) – High-trust add-ins use self-signed tokens
  • 9. Claims (Ansprüche) • A claim is a piece of your identity, claimed by some authority • Claims are received upon presenting credentials to a claims provider • Claims providers are trusted • Examples – Employee badge • Name, department, clearance – Boarding passes • Flight, seat, class, name – Paper Wristbands • Ticket type, extra services
  • 10. Real-world Claims Identity Claims Specific Claims Claims encoded and signed Thanks to Spencer Harbar for the original idea
  • 11. SharePoint Claims Claim Type Claim Value Issuer Original Issuer http://schemas.xmlsoap.o rg/ws/2005/05/identity/cl aims/nameidentifier demoekapic SharePoint SharePoint http://schemas.xmlsoap.o rg/ws/2008/06/identity/cl aims/primarysid S-1-5-21-4067827123- 213488314-8760374- 513 SharePoint Windows http://schemas.xmlsoap.o rg/ws/2005/05identity/cla ims/upn ekapic@demo.local SharePoint Windows http://schemas.microsoft. com/sharepoint/2009/08/ claims/userid 0#.w|demoekapic SharePoint SecurityTokenService
  • 12. Claims Authentication • SharePoint augments and transforms the incoming claims to a normalized claims identity • Can be done by more than one claims provider • Decouples the authentication method from the user identity • For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
  • 13. Claims Format Claim Claim Parts i:0#.w|spdemoedin • •“i” for an identity claim • •“#” for the user logon name format for the claim value • •“.” for a string • •“w” for Windows claims • •“spdemoedin” for the identity claim value (the Windows account name) i:0e.t|adfs|edin@spdemo.local • •“i” for an identity claim • •“e” for the UPN property of the claim value • •“.” for a string • •“t” for a trusted issuer • •“adfs” identifies the original issuer of the identity claim • •“edin@spdemo.local” for the identity claim value http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-claims-encoding-also-valuable-for-sharepoint-2010.aspx <IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode> |<OriginalIssuer (optional)> |<ClaimValue>
  • 14. Claims Authorization • Any claim can be used as a security principal in SharePoint • Flexible alternative to security groups • Claims can be surfaced by the identity token service or custom claims provider in People Picker
  • 15. Claim Providers • Augment and surface the claims for People Picker • Can be generic or bound to a Trusted Identity Provider • Inherits from SPClaimProvider abstract class • But, take care about thread safety: http://blogs.msdn.com/b/yvan_duhamel/archive/2014/05/21/thread-safety-in-custom- claims-providers.aspx
  • 16. Claims Augmentation and Surfacing Desired claim provider feature Implements Claims augmentation FillClaimsForEntity SupportsEntityInformation Claims surfacing in People Picker FillSchema FillClaimTypes FillClaimValueTypes FillEntityTypes Claims hierarchy in People Picker left side FillHierarchy SupportsHierarchy Resolving typed claims in People Picker FillResolve SupportsResolve Searching for claims in People Picker FillSearch SupportsSearch
  • 18. Federated Authentication • When the identity provider (IdP) is distinct from Windows (or FBA), we have federated authentication • Third-party Secure Token Service (STS) issues a security token with claims • This token is trusted by “clients” (Relying Parties, RP) as the STS is trusted by them • Tokens are digitally signed to prevent tampering
  • 19. Federated Authentication • ID cards or passports are real- world examples of federated authentication
  • 20. Federated Identity Providers • Microsoft Active Directory Federation Services (ADFS) • Microsoft Azure Active Directory • Thinktecture IdentityServer • Shibboleth • IBM Federated Identity Manager • ...
  • 21. Active Directory Federation Services (ADFS) • Part of Windows Server features • Can transform AD into a federated IdP • Doesn’t manage users directly, but claims, identity providers and relying parties
  • 22. Azure Active Directory (AAD) • “AD and ADFS in the cloud” • Part of Azure / Office 365 offering • Underpins the most of the Office 365 / Azure hybrid architectures
  • 23. Thinktecture IdentityServer • Open-source IdP based on .NET and Windows Identity Framework • Modular architecture
  • 25. Summary • Claims-based identity and authorization are the only way forward, so make sure that you understand them well • You can decouple user authentication from the user identity • You can extend your user identity with additional claims • You can get your user identity from somewhere else
  • 26. Additional Tools • LDAP/AD Claims Provider – Surfaces users from ADFS / AD into claims-enabled People Picker • https://ldapcp.codeplex.com/
  • 27. Additional Tools • SharePoint Identity Service – Service application for SharePoint • https://spidentityservice.codeplex.com/
  • 28. Further Reading • Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/ • A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en- us/library/ff423674.aspx
  • 30. Ich freue mich auf Ihr Feedback!