SlideShare une entreprise Scribd logo

SharePoint 2010 Custom Authentication Providers

Télécharger en tant que PPTX, PDF
Ben Steinhauser
Ben Steinhauser

Presented 1/7/2012, SharePoint Saturday Virginia Beach, by Benjamin Steinhauser. Using SharePoint 2010 Claims Based Authentication to extend the out-of-the-box functionality to support multiple authentication providers. This includes custom FBA authentication using default SQL authentication, a custom membership provider using a simple database table containing user accounts. Also, a custom membership provider using OpenID to authenticate remote users will be demonstrated, showing how SharePoint can leverage newer paradigms with user identities on the web. Additionally, intranet and internet login concepts will be covered to handle anonymous, semi-anonymous and protected web sites. Examples will be shown for each of the concepts demonstrated, keeping the presentation interactive and showing the pro/cons of each concept.

Technologie
1  sur  40
SharePoint 2010 Custom Authentication Providers Benjamin Steinhauser 1/7/2012 SharePoint Saturday Virginia Beach
About Me! • Name: Benjamin J. Steinhauser • Position: SharePoint Solutions Developer • Company: B&R Business Solutions • BSCS, MSCS; MCP, MCTS • 10+ years as ASP.NET Application Developer (C# and VB.NET) (yes, I admin it) • Built many (!!!) applications, specialized in Emergency Management and Notification systems • Lightweight SharePoint Developer since 2001 • versions: SharePoint Portal Server 2001, Microsoft SharePoint 2003, Microsoft Office SharePoint Server 2007, Microsoft SharePoint Server 2010 • Went full-dev in SharePoint in 2010, loving it!
Topics • Introduction to and using SharePoint 2010 Claims Based Authentication • Typical web application authentication scenarios • Typical web application login scenarios • Building custom authentication providers (membership and role providers) • Extending SharePoint Web Applications to multiple zones, each with its own provider • Building custom Login pages and Login web parts • Introduction to OpenID: 3rd Party Identity Management, or Identities in the “CLOUD” • Examples!
SP Authentication Methods • Classic Mode Authentication • traditional Windows Authentication, same as WSS 3.0, MOSS 2007 • Windows Integrated (NTLM/Kerberos) • Basic (password in clear text! use SSL) • Anonymous • (-) No more FBA available when using Classic! • (+) Less confusing for simple Farms • Claims Based Authentication • new for SP2010 • built on Windows Identity Foundation (WIF) • everything is tokens, claims, identity provider, security token service • (+) All auth types are available • (-) woah, confusing
Claims Based Authentication • Supported Authentication Methods: • Windows: • NTLM (Windows) • Kerberos • Anonymous • Basic • Digest • FBA: • LDAP • MS SQL Server or other • custom or 3rd party membership and role providers • SAML token-based auth. • Active Directory Federation Services (AD FS) 2.0 • 3rd party identity provider • LDAP
Claims Based Authentication • SharePoint Server 2010 automatically changes all user accounts to claims identities, resulting in a claims token for each user • Claims Identifiers: • Windows: i:0#.w|domainsAMAccountName • FBA: i:0#.f|customdbusersmp|user1 • The claims token contains the claims pertaining to the user • Windows accounts are converted into Windows claims. • Forms-based membership users are transformed into forms-based authentication claims • Identity is stored in a security Token, contains one or more claims about the user • Claims are meta-data for the user • Access to SharePoint Server running in Claims Mode Authentication utilizes a Security Token Service (STS) which is essentially an authentication gateway to SharePoint Server that enables access for Windows Integrated Authentication, Form Based Authentication and Trusted Claims Providers (TRUST).
Claims Based Authentication • Windows Claims • In the Windows claims mode sign in, SharePoint Server authenticates the client using standard Integrated Windows authentication (NTLM/Kerberos) and then translate the resulting Windows Identity into a claims identity. • Forms-Based Authentication Claims • In forms-based authentication claims mode, SharePoint Server redirects the client to a login page hosting the standard ASP.NET login controls. The page authenticates the client using the ASP.NET membership provider, similar to the way in which forms-based authentication functions in Office SharePoint Server 2007. After the identity object that represents the user is created, SharePoint Server will then translate this identity to a claims identity object. • SAML-Claims • In SAML claims mode, SharePoint Server accepts SAML tokens from a trusted external Security Token Provider (STS) often known as a claims provider trust. A user who attempts to login is directed to an external claims provider (for example, Windows Live ID claims provider) which authenticates the user and produce a SAML token. SharePoint Server accepts and processes this token, augmenting the claims and creating a claims identity object for the user.
What!?
Claims Allows Mixed Mode • A single Web Application that uses Claims Based Authentication can support multiple modes of authentication simultaneously (not extended, only using Default Zone) • Mixed Mode authentication: • single login page for both Windows and FBA users • ***Windows Identity and FBA Identity are 2 different identities, even if the actual identity in the background is the same***
Mixed Mode Pros/Cons • CONS: • (-) No more transparent Auth. in an Intranet Environment • sign in required, custom solution available here: • SharePoint 2010: transparent login with mixed authentication http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx • (-) Tricky to build custom login pages for Mixed Mode • (-) Always presented with choice for users (when there really is no choice since have only 1 identity), can confuse non-technical users • PROS: • (+) Only one web.config file to make changes in • (+) Email alerts sent by SharePoint have only 1 url to manage • (+) Sending links to documents or pages (manually or maybe using quick links) have only 1 url
FBA in SP2010
FOCUS: FBA in SP2010 • Must use Claims Based Authentication to use FBA • STS manages Claims, Tokens, etc. • Components to build: • Membership Provider • Role Provider • Custom Login Pages • Custom Login Web Part
SP 2010 FBA Basics • First Web Application created should always handle Windows Authentication (can add FBA for mixed mode if necessary) • Default Zone: support Windows Auth (integrated or basic) • for search crawl, strong authentication, easier administration (Office 2010, SPDesigner, Remote Access) • If not using mixed mode, and dedicated FBA site wanted (typical scenario), extend the Web Application, choose new zone (internet, extranet, custom)
CODE: Membership Provider • Specify ASP.NET Membership provider name (REQUIRED) • 2 built-in OOB Providers: • LDAP/AD: ActiveDirectoryMembershipProvider • MSSQL: System.Web.Security.SqlMembershipProvider (extensive documentation for this available on internet) • Custom: • any custom .NET class inheriting MembershipProvider base class • must override certain function for SharePoint: • FindUsersByEmail, FindUsersByEmail, GetAllUsers, GetUser (2 functions), GetUserNameByEmail, ValidateUser • can connect to any identity repository available that .NET code can access (ex. Oracle, Facebook, Twitter, SQL Server, XML File, Sqlite, etc.) • add .NET class to GAC or local web application BIN folder • Can be deployed as a solution (WSP) easily to either GAC or BIN
CODE: Role Provider • Specify ASP.NET Role manager name (OPTIONAL): • 1 Built-in OOB Provider: • MSSQL: System.Web.Security.SqlRoleProvider • LDAP/AD Role Provider available at codeproject.com • Custom: • similar to Membership provider: • any custom .NET class inheriting RoleProvider base class • must override certain function for SharePoint: • GetUsersInRole, IsUserInRole, GetAllRoles, FindUsersInRole, GetRolesForUser, RoleExists • can connect to any identity repository available that .NET code can access (ex. Oracle, Facebook, Twitter, SQL Server, XML File, Sqlite, etc.) • add .NET class to GAC or local web application BIN folder • Can be deployed as a solution (WSP) easily to either GAC or BIN • dynamic roles can be created that users can slide in and out in real time without manual intervention by admin (ex. admin role based on a DB field)
XML: Web.config changes • 3 web.config files (at a minimum) to be changed: • Central Administration (CA) • Security Token Service (STS) • Web Application (WA) that will be used to authenticate FBA users • may have more than one WA requiring changes, depending on configuration
XML: Central Admin Changes • CA Changes: • Location: C:inetpubwwwrootwssvirtualdirectories### • PeoplePickerWildcard (Optional): • add key = “Membership Provider Name” • add value = a wild card, ex. “%” for SQL, “*” for AD/LDAP • Optional because depends on implementation of Membership Provider search function implementation • ConnectionStrings (Optional): • add connectionstring here if membership or role providers require database connectivity • Optional because depends on implementation of Membership and Role Provider functions • Appsettings (Optional): • add any custom application settings that are required by the Membership and Role Provider.
XML: CA Changes (cont.) • membership, role: • requires strong name of assembly if installed in GAC (typical) • can use gacutil.exe (part of .NET SDK), or GacView.exe (available here: http://www.nirsoft.net/dot_net_tools/gac_viewer.html) • Central Administration by default uses Classic Mode Authentication, so Claims providers are missing • Only need to add the custom Providers (Membership and Role) as shown below, very reminiscent of WSS 3.0 and MOSS 2007.
XML: STS Changes • Location: • C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityTokenweb.config • STS uses Claims Based Authentication, so default Membership and Role Provider are built-in Claims. • Add custom Membership and Role provider within sections (this whole section is usually missing in web.config, need to add) • Now STS can authenticate FBA users, and convert FBA identities to Claims identities. • Add ConnectionStrings, AppSettings if needed (PeoplePickerWildcard not needed).
XML: WA Changes • PeoplePickerWildcards • ConnectionStrings • AppSettings • Membership and Role Provider: • FBA Web Application is Claims Based, so default providers are built-in Claims • Same changes as STS
Adding User Policy • CA web.config was updated so FBA users can be added as: • site collection administrator • “full control” user policy to manage FBA site • This is necessary for the first (admin) FBA user to login to SharePoint Site and assign other permissions • Adding Policy: • Open Web Application Settings in CA • Select the Web Application, click “User Policy” button in Ribbon • Click “add users” in modal/dialog window • Choose either All Zones or the Zone the FBA web application uses • Find the user using the people picker, check “Full Control”, and save
Application Pool Identity Permissions • Database and other Resource Permissions: • SQL Server: • Not to worry if connection string to database that Providers use is SQL Account (not Windows Account) (mixed mode auth in DB enabled). • However, if integrated mode is used, then the web application identity must have access to the database, and anonymous access in IIS can complicate this • Other repositories: • Same issue, identity of application pool needs access to the resources
Typical Login Scenarios • Windows Authentication: • Windows Popup (with or without domain name) • FBA: • OOB Login Page (built-in, can update, override, or replace) • Custom Login Page (regular ASP.NET Page, fully customizable) • anonymous access not required if login page does not use SharePoint Master Page • Custom Login Web Part (SharePoint Web Part or Visual Web Part) • added to a web part page • anonymous access required to get to web part page • PROS: • can take over the login process, and extend OOB with features like: • adding a CAPTCHA • any custom code action/event (logging, automation, syncing, etc.) • custom redirecting (targeted content, 3rd party identity management: OpenID) • Site Agreements, Information Policies: agreements, privacy, EULA, etc. • Multi-Factor authentication: using SMS, tokens, etc.
Custom Login Page/Web Part • SharePoint 2007 (and older): • uses System.Web.Security.FormsAuthenication class to handle building ticket and redirecting. • SharePoint 2010: • uses Microsoft.SharePoint.IdentityModel class to handle Claims authentication • DLL is already loaded in GAC in Foundation 2010, need path to DLL (in assembly) to add to Visual Studio as a Reference • Use Gacview.exe (previously mentioned) to get path to DLL • Login page can be either: • Custom Application Page (Visual Studio 2010 SharePoint Project: Application Page) • Custom Web Part (Visual Studio 2010 SharePoint Project: Web Part or Visual Web Part) (added to web part page in SharePoint) • Login page “asks” STS to authenticate user using IdentityModel.SPClaimsUtility.AuthenticateFormsUser function.
Custom Login Page/Web Part • Specify login page for web application by: • Open CA, Application Management, Manage Web Apps • Select the web application • Click “Authentication Providers” in the ribbon • Select the Zone that uses FBA • In the section named “Sign In Page URL”, choose “Custom Sign In Page” • Enter the URL of the custom page: • ex: /_layouts/fbaaddons/custloginoob.aspx • can also be a web part page in a SharePoint site, but site would need anonymous access turned on
Putting it together • Visual Studio 2010: • Empty SharePoint 2010 Project – FBAAddOns • Class: Providers.cs • Web Parts: • Login Web Part • Application Pages: • Login Web Page • OpenID Web Page • Reference: DotNetOpenAuth.dll • Demo: • Creating the above…
OpenID SharePoint 2010 and OpenID
Identities in the Cloud! • 3rd party Identity Management • Decentralized Authentication • Internet Drivers License http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html • Common Internet Implementations: • Facebook, Google, OpenID, Twitter • Academic: • Yale CAS (central authentication service) • Shibboleth • Identity is known (username, email, etc.) • Password is not
OpenID Explained • One billion OpenID enabled user accounts and over 50,000 websites accepting OpenID for logins. • Several large organizations either issue or accept OpenIDs, including Google, Facebook, Yahoo!, Microsoft, AOL, MySpace, Sears, Universal Music Group, France Telecom, Novell, Sun, Telecom Italia, and many more. • Concepts: • Identity Provider (server, service provider): • owns the identity • confirms the identity with participating web sites (assertions) • maintain multiple “profiles” under one identity • Relying Party (client, consumer) • requests identity from Identity Provider • uses identity • maps identity to internal identity (whitelist of users) • OpenID Identifier: is the url or xri chosen by the end-user to name the end-user's identity (ex: http://bandrben.myopenid.com) • Resources: • http://openid.net • http://www.dotnetopenauth.net/
OpenID Pros/Cons • PROS: • Accelerate signup process: users can use existing identities, less reluctant to create new identity • Reduce Frustration Associated with Maintaining Multiple Usernames and Passwords • Gain Greater Control Over Your Online Identity (You control how much personal information you choose to share with websites that accept OpenIDs) • Minimize Password Security Risks • Yo! It’s the Cloud! • CONS: • No repository of users that is searchable, complicates things in SP • User Profile Synchronization is not supported: no repository of users to sync, custom solutions will need to be built • Membership provider will be Validating User without a password?!? • code, code, code (scares management :P)
Enough BS, Lets see some examples!
Welcome to SPDevMutts.com • Web Application and Zones: • Default: 881: Mixed Mode Claims Based Authentication: • Windows Authentication & FBA Authentication (custom membership and role providers) • No anonymous access • Dynamic roles • Internet: 882: FBA Claims Based Authentication: • FBA Only (custom membership and role providers) • Uses custom login page • No anonymous access • Dynamic roles • Custom: 883: FBA Claims Based Authentication: • FBA Only (custom membership and role providers) • Uses custom login page: web part page, uses custom login web part • Anonymous access enabled • Dynamic roles • Extranet: 884: FBA Claims Based Authentication: • FBA Only (custom membership and role providers) • Uses custom OpenID Provider, custom login page, can authenticate to local Identity Provider and http://www.myopenid.com • No anonymous access
1. Mixed Mode Claims Based Auth • Default Zone, port 881 • Uses Windows Authentication • Uses FBA, providers: • Membership: CustomDbUsersMP “Nice…” • custom SQL Server table: CustomDbUsersLists • custom Dynamic data application to manage users (L2S) • users: user1, user2, user3 • Role: CustomDbUsersRP • custom C# code: 1 role, name = “DynamicAdmins” • Table “CustomDbUsersLists” has a column “isadmin” (int) • if user record “isadmin”=1, then IS member of role • No anonymous access • No custom login page
2. FBA Claims Based Auth • Internet Zone, port 882 • Uses FBA only, providers: • Membership: CustomDbUsersMP • Role: CustomDbUsersRP • No anonymous access “Cool!” • Custom login page • url: /_layouts/fbaaddons/custloginoob.aspx • includes a mandatory “policy agreement” before logging in
3. FBA Claims Based Auth • Custom Zone, port 883 • Uses FBA only, providers: • Membership: CustomDbUsersMP • Role: CustomDbUsersRP • Anonymous access enabled “Wow!” • (in CA WA settings, and WA site settings) • Custom login page • url: /Custom%20Pages/CustomLogin.aspx • Custom login web part • added to a standard SharePoint web part page • includes a mandatory “policy agreement” before logging in
4. FBA Claims Based Auth • Extranet Zone, port 884 • Uses FBA only, providers: • Membership: MyOpenIDWhiteListMP • custom SQL Server table: MyOpenIDWhiteList • custom Dynamic data application to manage users (L2S) • table acts as whitelist/mapping (needed for membership provider to resolve user to add to SharePoint) • users: • fake: bob1, bob2, bob3 “OMG!” • real: bandrben • Role: [none] • No anonymous access • Custom login page • url: /_layouts/fbaaddons/CustLoginOpenID.aspx • uses DotNetOpenAuth.dll (added to BIN not GAC) • requires elevated trust in WA web.config (FULL) • enter OpenID url • use either: http://www.myopenid2.com/user.aspx/bob1 (local) • or, http://bandrben.myopenid.com (real)
ValidateUser for OpenID • How to implement the ValidateUser(username, password) function in the MembershipProvider class? • used to authenticate the user • both fields required to override ValidateUser in base class • OPTION 1: blank password/skip password evaluation: • poor security: can a user login using another web application’s login page? what about web services, REST, Client OM, etc? • OPTION 2: username + salt + AES/3DES/SHA/MD5 • Custom Login page calls: • SPClaimsUtility.AuthenticateFormsUser(Request.Url, username, password) • STS calls Membership.ValidateUser(username, password) • password transmitted should be: aesEncrypt(username + salt) • Membership.ValidateUser(u, p) implementation: • recreate password sent to function, by applying same algorithm • compare passwords, should be same
Future Considerations • User Profiles: • Either, custom sync timer job or integration with User Profile Sync Service Application • or, handle on login, when resolving with WhiteList/Mapping • WhileList/Mapping application: for managing identities of users coming from 3rd party providers (Cloud) • Client application integration (MS Office 2010) • Configuring Search, Alternate Access Mappings
Questions? Thanks! • For Source Code & Presentation: http://sp2010claimsfbaexs.codeplex.com/ • For Clippy: http://spclippy.codeplex.com/ • Presentation: http://www.slideshare.net/njitben/sharepoint-2010-custom-authentication- providers • For more information: • @njitben • bsteinhauser@bandrsolutions.com • http://www.bandrsolutions.com • References • MOSS 2007 • http://www.codeproject.com/KB/sharepoint/FBA.aspx • http://www.devcow.com/blogs/jdattis/archive/2007/02/23/Office-SharePoint-Server-2007-Forms-Based-Authentication- FBA-Walkthrough-Part-1.aspx • http://msdn.microsoft.com/en-us/library/bb975135(v=office.12).aspx • SP 2010: • http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx • http://technet.microsoft.com/en-us/library/cc262350.aspx • http://blogs.msdn.com/b/chunliu/archive/2010/08/21/creating-a-custom-login-page-for-fba-in-sharepoint-2010.aspx • http://blogs.msdn.com/b/pranab/archive/2010/07/26/how-to-create-custom-login-form-for-sharepoint-2010-form-based- authentication.aspx • http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/ • http://www.mssharepointtips.com/tip.asp?id=1093&page=3 • OpenID • http://www.dotnetopenauth.net/ • http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html
Our Sponsors

Recommandé

Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
SharePoint Claims und FBA
SharePoint Claims und FBASharePoint Claims und FBA
SharePoint Claims und FBAThomas Stensitzki
 
Ukti overview may 16 teesdale business club
Ukti overview may 16 teesdale business clubUkti overview may 16 teesdale business club
Ukti overview may 16 teesdale business clubSue Beverley
 
Resumecoverletter 2016
Resumecoverletter 2016Resumecoverletter 2016
Resumecoverletter 2016Maureen Riccio
 
Informe sobre seguimiento al proceso de empalme
Informe sobre seguimiento al proceso de empalmeInforme sobre seguimiento al proceso de empalme
Informe sobre seguimiento al proceso de empalmemauricio benitez
 
Prior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormPrior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormFrederick Fisher, J.D.
 
SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013David Thompson
 

Recommandé

Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
SharePoint Claims und FBA
SharePoint Claims und FBASharePoint Claims und FBA
SharePoint Claims und FBAThomas Stensitzki
 
Ukti overview may 16 teesdale business club
Ukti overview may 16 teesdale business clubUkti overview may 16 teesdale business club
Ukti overview may 16 teesdale business clubSue Beverley
 
Resumecoverletter 2016
Resumecoverletter 2016Resumecoverletter 2016
Resumecoverletter 2016Maureen Riccio
 
Informe sobre seguimiento al proceso de empalme
Informe sobre seguimiento al proceso de empalmeInforme sobre seguimiento al proceso de empalme
Informe sobre seguimiento al proceso de empalmemauricio benitez
 
Prior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormPrior_Pending_Exclusions_in_the_E&O_Form
Prior_Pending_Exclusions_in_the_E&O_FormFrederick Fisher, J.D.
 
SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013SIT292 Linear Algebra 2013
SIT292 Linear Algebra 2013David Thompson
 
Welcome to pe
Welcome to peWelcome to pe
Welcome to peTommy Malins
 
Self instroduction
Self instroductionSelf instroduction
Self instroductionYetta Chen
 
奧地利之行
奧地利之行奧地利之行
奧地利之行followmeteam
 
Chuva de novembro marcia portella
Chuva de novembro marcia portellaChuva de novembro marcia portella
Chuva de novembro marcia portellaLuzia Gabriele
 
Tutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookTutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookPays Médoc
 
British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016maditabalnco
 
Module outline itd dmzjan2015
Module outline itd dmzjan2015Module outline itd dmzjan2015
Module outline itd dmzjan2015G-ny Gynie
 
Cluster policy in Russia: similarity and uniqueness
Cluster policy in Russia: similarity and uniqueness Cluster policy in Russia: similarity and uniqueness
Cluster policy in Russia: similarity and uniqueness Evgeny Kutsenko
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 
Amazing Journey
Amazing JourneyAmazing Journey
Amazing JourneyMuhammad Emad
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Contenu connexe

En vedette

Self instroduction
Self instroductionSelf instroduction
Self instroductionYetta Chen
 
Chuva de novembro marcia portella
Chuva de novembro marcia portellaChuva de novembro marcia portella
Chuva de novembro marcia portellaLuzia Gabriele
 
Tutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookTutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookPays Médoc
 
British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016maditabalnco
 
Module outline itd dmzjan2015
Module outline itd dmzjan2015Module outline itd dmzjan2015
Module outline itd dmzjan2015G-ny Gynie
 
Cluster policy in Russia: similarity and uniqueness
Cluster policy in Russia: similarity and uniqueness Cluster policy in Russia: similarity and uniqueness
Cluster policy in Russia: similarity and uniqueness Evgeny Kutsenko
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 

En vedette (10)

Welcome to pe
Welcome to peWelcome to pe
Welcome to pe
 
Self instroduction
Self instroductionSelf instroduction
Self instroduction
 
奧地利之行
奧地利之行奧地利之行
奧地利之行
 
Chuva de novembro marcia portella
Chuva de novembro marcia portellaChuva de novembro marcia portella
Chuva de novembro marcia portella
 
Tutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebookTutoriel installer un diaporama flick r sur sa page facebook
Tutoriel installer un diaporama flick r sur sa page facebook
 
British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016British Press Photographers Association: Assignments 2016
British Press Photographers Association: Assignments 2016
 
Module outline itd dmzjan2015
Module outline itd dmzjan2015Module outline itd dmzjan2015
Module outline itd dmzjan2015
 
Cluster policy in Russia: similarity and uniqueness
Cluster policy in Russia: similarity and uniqueness Cluster policy in Russia: similarity and uniqueness
Cluster policy in Russia: similarity and uniqueness
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
 
Amazing Journey
Amazing JourneyAmazing Journey
Amazing Journey
 

Dernier

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Dernier (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

SharePoint 2010 Custom Authentication Providers

  • 1. SharePoint 2010 Custom Authentication Providers Benjamin Steinhauser 1/7/2012 SharePoint Saturday Virginia Beach
  • 2. About Me! • Name: Benjamin J. Steinhauser • Position: SharePoint Solutions Developer • Company: B&R Business Solutions • BSCS, MSCS; MCP, MCTS • 10+ years as ASP.NET Application Developer (C# and VB.NET) (yes, I admin it) • Built many (!!!) applications, specialized in Emergency Management and Notification systems • Lightweight SharePoint Developer since 2001 • versions: SharePoint Portal Server 2001, Microsoft SharePoint 2003, Microsoft Office SharePoint Server 2007, Microsoft SharePoint Server 2010 • Went full-dev in SharePoint in 2010, loving it!
  • 3. Topics • Introduction to and using SharePoint 2010 Claims Based Authentication • Typical web application authentication scenarios • Typical web application login scenarios • Building custom authentication providers (membership and role providers) • Extending SharePoint Web Applications to multiple zones, each with its own provider • Building custom Login pages and Login web parts • Introduction to OpenID: 3rd Party Identity Management, or Identities in the “CLOUD” • Examples!
  • 4. SP Authentication Methods • Classic Mode Authentication • traditional Windows Authentication, same as WSS 3.0, MOSS 2007 • Windows Integrated (NTLM/Kerberos) • Basic (password in clear text! use SSL) • Anonymous • (-) No more FBA available when using Classic! • (+) Less confusing for simple Farms • Claims Based Authentication • new for SP2010 • built on Windows Identity Foundation (WIF) • everything is tokens, claims, identity provider, security token service • (+) All auth types are available • (-) woah, confusing
  • 5. Claims Based Authentication • Supported Authentication Methods: • Windows: • NTLM (Windows) • Kerberos • Anonymous • Basic • Digest • FBA: • LDAP • MS SQL Server or other • custom or 3rd party membership and role providers • SAML token-based auth. • Active Directory Federation Services (AD FS) 2.0 • 3rd party identity provider • LDAP
  • 6. Claims Based Authentication • SharePoint Server 2010 automatically changes all user accounts to claims identities, resulting in a claims token for each user • Claims Identifiers: • Windows: i:0#.w|domainsAMAccountName • FBA: i:0#.f|customdbusersmp|user1 • The claims token contains the claims pertaining to the user • Windows accounts are converted into Windows claims. • Forms-based membership users are transformed into forms-based authentication claims • Identity is stored in a security Token, contains one or more claims about the user • Claims are meta-data for the user • Access to SharePoint Server running in Claims Mode Authentication utilizes a Security Token Service (STS) which is essentially an authentication gateway to SharePoint Server that enables access for Windows Integrated Authentication, Form Based Authentication and Trusted Claims Providers (TRUST).
  • 7. Claims Based Authentication • Windows Claims • In the Windows claims mode sign in, SharePoint Server authenticates the client using standard Integrated Windows authentication (NTLM/Kerberos) and then translate the resulting Windows Identity into a claims identity. • Forms-Based Authentication Claims • In forms-based authentication claims mode, SharePoint Server redirects the client to a login page hosting the standard ASP.NET login controls. The page authenticates the client using the ASP.NET membership provider, similar to the way in which forms-based authentication functions in Office SharePoint Server 2007. After the identity object that represents the user is created, SharePoint Server will then translate this identity to a claims identity object. • SAML-Claims • In SAML claims mode, SharePoint Server accepts SAML tokens from a trusted external Security Token Provider (STS) often known as a claims provider trust. A user who attempts to login is directed to an external claims provider (for example, Windows Live ID claims provider) which authenticates the user and produce a SAML token. SharePoint Server accepts and processes this token, augmenting the claims and creating a claims identity object for the user.
  • 9. Claims Allows Mixed Mode • A single Web Application that uses Claims Based Authentication can support multiple modes of authentication simultaneously (not extended, only using Default Zone) • Mixed Mode authentication: • single login page for both Windows and FBA users • ***Windows Identity and FBA Identity are 2 different identities, even if the actual identity in the background is the same***
  • 10. Mixed Mode Pros/Cons • CONS: • (-) No more transparent Auth. in an Intranet Environment • sign in required, custom solution available here: • SharePoint 2010: transparent login with mixed authentication http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx • (-) Tricky to build custom login pages for Mixed Mode • (-) Always presented with choice for users (when there really is no choice since have only 1 identity), can confuse non-technical users • PROS: • (+) Only one web.config file to make changes in • (+) Email alerts sent by SharePoint have only 1 url to manage • (+) Sending links to documents or pages (manually or maybe using quick links) have only 1 url
  • 12. FOCUS: FBA in SP2010 • Must use Claims Based Authentication to use FBA • STS manages Claims, Tokens, etc. • Components to build: • Membership Provider • Role Provider • Custom Login Pages • Custom Login Web Part
  • 13. SP 2010 FBA Basics • First Web Application created should always handle Windows Authentication (can add FBA for mixed mode if necessary) • Default Zone: support Windows Auth (integrated or basic) • for search crawl, strong authentication, easier administration (Office 2010, SPDesigner, Remote Access) • If not using mixed mode, and dedicated FBA site wanted (typical scenario), extend the Web Application, choose new zone (internet, extranet, custom)
  • 14. CODE: Membership Provider • Specify ASP.NET Membership provider name (REQUIRED) • 2 built-in OOB Providers: • LDAP/AD: ActiveDirectoryMembershipProvider • MSSQL: System.Web.Security.SqlMembershipProvider (extensive documentation for this available on internet) • Custom: • any custom .NET class inheriting MembershipProvider base class • must override certain function for SharePoint: • FindUsersByEmail, FindUsersByEmail, GetAllUsers, GetUser (2 functions), GetUserNameByEmail, ValidateUser • can connect to any identity repository available that .NET code can access (ex. Oracle, Facebook, Twitter, SQL Server, XML File, Sqlite, etc.) • add .NET class to GAC or local web application BIN folder • Can be deployed as a solution (WSP) easily to either GAC or BIN
  • 15. CODE: Role Provider • Specify ASP.NET Role manager name (OPTIONAL): • 1 Built-in OOB Provider: • MSSQL: System.Web.Security.SqlRoleProvider • LDAP/AD Role Provider available at codeproject.com • Custom: • similar to Membership provider: • any custom .NET class inheriting RoleProvider base class • must override certain function for SharePoint: • GetUsersInRole, IsUserInRole, GetAllRoles, FindUsersInRole, GetRolesForUser, RoleExists • can connect to any identity repository available that .NET code can access (ex. Oracle, Facebook, Twitter, SQL Server, XML File, Sqlite, etc.) • add .NET class to GAC or local web application BIN folder • Can be deployed as a solution (WSP) easily to either GAC or BIN • dynamic roles can be created that users can slide in and out in real time without manual intervention by admin (ex. admin role based on a DB field)
  • 16. XML: Web.config changes • 3 web.config files (at a minimum) to be changed: • Central Administration (CA) • Security Token Service (STS) • Web Application (WA) that will be used to authenticate FBA users • may have more than one WA requiring changes, depending on configuration
  • 17. XML: Central Admin Changes • CA Changes: • Location: C:inetpubwwwrootwssvirtualdirectories### • PeoplePickerWildcard (Optional): • add key = “Membership Provider Name” • add value = a wild card, ex. “%” for SQL, “*” for AD/LDAP • Optional because depends on implementation of Membership Provider search function implementation • ConnectionStrings (Optional): • add connectionstring here if membership or role providers require database connectivity • Optional because depends on implementation of Membership and Role Provider functions • Appsettings (Optional): • add any custom application settings that are required by the Membership and Role Provider.
  • 18. XML: CA Changes (cont.) • membership, role: • requires strong name of assembly if installed in GAC (typical) • can use gacutil.exe (part of .NET SDK), or GacView.exe (available here: http://www.nirsoft.net/dot_net_tools/gac_viewer.html) • Central Administration by default uses Classic Mode Authentication, so Claims providers are missing • Only need to add the custom Providers (Membership and Role) as shown below, very reminiscent of WSS 3.0 and MOSS 2007.
  • 19. XML: STS Changes • Location: • C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityTokenweb.config • STS uses Claims Based Authentication, so default Membership and Role Provider are built-in Claims. • Add custom Membership and Role provider within sections (this whole section is usually missing in web.config, need to add) • Now STS can authenticate FBA users, and convert FBA identities to Claims identities. • Add ConnectionStrings, AppSettings if needed (PeoplePickerWildcard not needed).
  • 20. XML: WA Changes • PeoplePickerWildcards • ConnectionStrings • AppSettings • Membership and Role Provider: • FBA Web Application is Claims Based, so default providers are built-in Claims • Same changes as STS
  • 21. Adding User Policy • CA web.config was updated so FBA users can be added as: • site collection administrator • “full control” user policy to manage FBA site • This is necessary for the first (admin) FBA user to login to SharePoint Site and assign other permissions • Adding Policy: • Open Web Application Settings in CA • Select the Web Application, click “User Policy” button in Ribbon • Click “add users” in modal/dialog window • Choose either All Zones or the Zone the FBA web application uses • Find the user using the people picker, check “Full Control”, and save
  • 22. Application Pool Identity Permissions • Database and other Resource Permissions: • SQL Server: • Not to worry if connection string to database that Providers use is SQL Account (not Windows Account) (mixed mode auth in DB enabled). • However, if integrated mode is used, then the web application identity must have access to the database, and anonymous access in IIS can complicate this • Other repositories: • Same issue, identity of application pool needs access to the resources
  • 23. Typical Login Scenarios • Windows Authentication: • Windows Popup (with or without domain name) • FBA: • OOB Login Page (built-in, can update, override, or replace) • Custom Login Page (regular ASP.NET Page, fully customizable) • anonymous access not required if login page does not use SharePoint Master Page • Custom Login Web Part (SharePoint Web Part or Visual Web Part) • added to a web part page • anonymous access required to get to web part page • PROS: • can take over the login process, and extend OOB with features like: • adding a CAPTCHA • any custom code action/event (logging, automation, syncing, etc.) • custom redirecting (targeted content, 3rd party identity management: OpenID) • Site Agreements, Information Policies: agreements, privacy, EULA, etc. • Multi-Factor authentication: using SMS, tokens, etc.
  • 24. Custom Login Page/Web Part • SharePoint 2007 (and older): • uses System.Web.Security.FormsAuthenication class to handle building ticket and redirecting. • SharePoint 2010: • uses Microsoft.SharePoint.IdentityModel class to handle Claims authentication • DLL is already loaded in GAC in Foundation 2010, need path to DLL (in assembly) to add to Visual Studio as a Reference • Use Gacview.exe (previously mentioned) to get path to DLL • Login page can be either: • Custom Application Page (Visual Studio 2010 SharePoint Project: Application Page) • Custom Web Part (Visual Studio 2010 SharePoint Project: Web Part or Visual Web Part) (added to web part page in SharePoint) • Login page “asks” STS to authenticate user using IdentityModel.SPClaimsUtility.AuthenticateFormsUser function.
  • 25. Custom Login Page/Web Part • Specify login page for web application by: • Open CA, Application Management, Manage Web Apps • Select the web application • Click “Authentication Providers” in the ribbon • Select the Zone that uses FBA • In the section named “Sign In Page URL”, choose “Custom Sign In Page” • Enter the URL of the custom page: • ex: /_layouts/fbaaddons/custloginoob.aspx • can also be a web part page in a SharePoint site, but site would need anonymous access turned on
  • 26. Putting it together • Visual Studio 2010: • Empty SharePoint 2010 Project – FBAAddOns • Class: Providers.cs • Web Parts: • Login Web Part • Application Pages: • Login Web Page • OpenID Web Page • Reference: DotNetOpenAuth.dll • Demo: • Creating the above…
  • 28. Identities in the Cloud! • 3rd party Identity Management • Decentralized Authentication • Internet Drivers License http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html • Common Internet Implementations: • Facebook, Google, OpenID, Twitter • Academic: • Yale CAS (central authentication service) • Shibboleth • Identity is known (username, email, etc.) • Password is not
  • 29. OpenID Explained • One billion OpenID enabled user accounts and over 50,000 websites accepting OpenID for logins. • Several large organizations either issue or accept OpenIDs, including Google, Facebook, Yahoo!, Microsoft, AOL, MySpace, Sears, Universal Music Group, France Telecom, Novell, Sun, Telecom Italia, and many more. • Concepts: • Identity Provider (server, service provider): • owns the identity • confirms the identity with participating web sites (assertions) • maintain multiple “profiles” under one identity • Relying Party (client, consumer) • requests identity from Identity Provider • uses identity • maps identity to internal identity (whitelist of users) • OpenID Identifier: is the url or xri chosen by the end-user to name the end-user's identity (ex: http://bandrben.myopenid.com) • Resources: • http://openid.net • http://www.dotnetopenauth.net/
  • 30. OpenID Pros/Cons • PROS: • Accelerate signup process: users can use existing identities, less reluctant to create new identity • Reduce Frustration Associated with Maintaining Multiple Usernames and Passwords • Gain Greater Control Over Your Online Identity (You control how much personal information you choose to share with websites that accept OpenIDs) • Minimize Password Security Risks • Yo! It’s the Cloud! • CONS: • No repository of users that is searchable, complicates things in SP • User Profile Synchronization is not supported: no repository of users to sync, custom solutions will need to be built • Membership provider will be Validating User without a password?!? • code, code, code (scares management :P)
  • 31. Enough BS, Lets see some examples!
  • 32. Welcome to SPDevMutts.com • Web Application and Zones: • Default: 881: Mixed Mode Claims Based Authentication: • Windows Authentication & FBA Authentication (custom membership and role providers) • No anonymous access • Dynamic roles • Internet: 882: FBA Claims Based Authentication: • FBA Only (custom membership and role providers) • Uses custom login page • No anonymous access • Dynamic roles • Custom: 883: FBA Claims Based Authentication: • FBA Only (custom membership and role providers) • Uses custom login page: web part page, uses custom login web part • Anonymous access enabled • Dynamic roles • Extranet: 884: FBA Claims Based Authentication: • FBA Only (custom membership and role providers) • Uses custom OpenID Provider, custom login page, can authenticate to local Identity Provider and http://www.myopenid.com • No anonymous access
  • 33. 1. Mixed Mode Claims Based Auth • Default Zone, port 881 • Uses Windows Authentication • Uses FBA, providers: • Membership: CustomDbUsersMP “Nice…” • custom SQL Server table: CustomDbUsersLists • custom Dynamic data application to manage users (L2S) • users: user1, user2, user3 • Role: CustomDbUsersRP • custom C# code: 1 role, name = “DynamicAdmins” • Table “CustomDbUsersLists” has a column “isadmin” (int) • if user record “isadmin”=1, then IS member of role • No anonymous access • No custom login page
  • 34. 2. FBA Claims Based Auth • Internet Zone, port 882 • Uses FBA only, providers: • Membership: CustomDbUsersMP • Role: CustomDbUsersRP • No anonymous access “Cool!” • Custom login page • url: /_layouts/fbaaddons/custloginoob.aspx • includes a mandatory “policy agreement” before logging in
  • 35. 3. FBA Claims Based Auth • Custom Zone, port 883 • Uses FBA only, providers: • Membership: CustomDbUsersMP • Role: CustomDbUsersRP • Anonymous access enabled “Wow!” • (in CA WA settings, and WA site settings) • Custom login page • url: /Custom%20Pages/CustomLogin.aspx • Custom login web part • added to a standard SharePoint web part page • includes a mandatory “policy agreement” before logging in
  • 36. 4. FBA Claims Based Auth • Extranet Zone, port 884 • Uses FBA only, providers: • Membership: MyOpenIDWhiteListMP • custom SQL Server table: MyOpenIDWhiteList • custom Dynamic data application to manage users (L2S) • table acts as whitelist/mapping (needed for membership provider to resolve user to add to SharePoint) • users: • fake: bob1, bob2, bob3 “OMG!” • real: bandrben • Role: [none] • No anonymous access • Custom login page • url: /_layouts/fbaaddons/CustLoginOpenID.aspx • uses DotNetOpenAuth.dll (added to BIN not GAC) • requires elevated trust in WA web.config (FULL) • enter OpenID url • use either: http://www.myopenid2.com/user.aspx/bob1 (local) • or, http://bandrben.myopenid.com (real)
  • 37. ValidateUser for OpenID • How to implement the ValidateUser(username, password) function in the MembershipProvider class? • used to authenticate the user • both fields required to override ValidateUser in base class • OPTION 1: blank password/skip password evaluation: • poor security: can a user login using another web application’s login page? what about web services, REST, Client OM, etc? • OPTION 2: username + salt + AES/3DES/SHA/MD5 • Custom Login page calls: • SPClaimsUtility.AuthenticateFormsUser(Request.Url, username, password) • STS calls Membership.ValidateUser(username, password) • password transmitted should be: aesEncrypt(username + salt) • Membership.ValidateUser(u, p) implementation: • recreate password sent to function, by applying same algorithm • compare passwords, should be same
  • 38. Future Considerations • User Profiles: • Either, custom sync timer job or integration with User Profile Sync Service Application • or, handle on login, when resolving with WhiteList/Mapping • WhileList/Mapping application: for managing identities of users coming from 3rd party providers (Cloud) • Client application integration (MS Office 2010) • Configuring Search, Alternate Access Mappings
  • 39. Questions? Thanks! • For Source Code & Presentation: http://sp2010claimsfbaexs.codeplex.com/ • For Clippy: http://spclippy.codeplex.com/ • Presentation: http://www.slideshare.net/njitben/sharepoint-2010-custom-authentication- providers • For more information: • @njitben • bsteinhauser@bandrsolutions.com • http://www.bandrsolutions.com • References • MOSS 2007 • http://www.codeproject.com/KB/sharepoint/FBA.aspx • http://www.devcow.com/blogs/jdattis/archive/2007/02/23/Office-SharePoint-Server-2007-Forms-Based-Authentication- FBA-Walkthrough-Part-1.aspx • http://msdn.microsoft.com/en-us/library/bb975135(v=office.12).aspx • SP 2010: • http://www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx • http://technet.microsoft.com/en-us/library/cc262350.aspx • http://blogs.msdn.com/b/chunliu/archive/2010/08/21/creating-a-custom-login-page-for-fba-in-sharepoint-2010.aspx • http://blogs.msdn.com/b/pranab/archive/2010/07/26/how-to-create-custom-login-form-for-sharepoint-2010-form-based- authentication.aspx • http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/ • http://www.mssharepointtips.com/tip.asp?id=1093&page=3 • OpenID • http://www.dotnetopenauth.net/ • http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html

Notes de l'éditeur

  1. classic is still OK
  2. windows accounts, fba accounts, converted to claimssecurity tokens passed around containing claims (user identities)claims contain user info (meta-data)STS is the gateway for managing, resolving claims
  3. SKIP
  4. provider not needed if using exiting providermssql, ldap/ad
  5. basically, adding FBA site admin
  6. SKIP
  7. show: 881 sitelogin using AD (administrator, bsteinhauser)login using FBA (user1)show CustomDBUsers App (L2S)show code: membership/role providers
  8. show: 882 sitelogin using FBA (user2 first, then user1)show code: role provider, “DynamicAdmins” groupshow code: custom login page
  9. show: 883 siteopen site, then login using FBA (user1)show anon settings: CA WA, WA Site Settingsshow login web part, added to web part pageshow code: custom login web part
  10. show: 884 sitelogin using FBA (http://bandrben.myopenid.com, fake:bob1)show whitelistappshow custloginopenid.aspx
  11. show MyOpenIDWhiteListMP: validateuser