Who are you and what do you want-SharePoint Authentication and

Download Report

Transcript Who are you and what do you want-SharePoint Authentication and

Who are you and what do you want?

Authentication and Authorization – SharePoint 2010

• • • • • Big topic! This session will just scratch surface.

Define some terms along the way Focus on SharePoint 2010 capabilities and demos; applicable to SharePoint 2013 ASP.Net Membership / Role provider framework Demos, focused on Membership and Role provider techniques that can be used in both SharePoint 2010 and 2013

• • Authentication • Confirmation of identity • Allow access Authorization • Post authentication • Allow access to resource(s) based on permission of identity

• • • • • •

SharePoint 2007

Authentication mode is called “classic” Default Active Directory authentication Support for forms-based authentication Support for ASP.Net web security framework and plug-in custom authentication providers Support for multiple web application zones One provider per web application zone • Use of multiple authentication providers require multiple zones/urls

• • • • •

SharePoint 2010

All 2007 functional capabilities still available Introduces support for claims-based authentication. Built on Windows Identity Foundation Introduction of Secure Token Service Multiple authentication/identity providers per zone/url Ability to create and register Trusted Identity Providers in farm to provide authentication services to multiple web applications / single-sign on

• • • • Identity • Set of attributes to describe a user such as name, e-mail, password, etc.

Identity Provider • An authority that can assert the “true” identity and its attributes Claim • • An assertion (i.e. the claim) issued by an identity provider about a specific user or other entity in a system (machine, etc.) Contains an encrypted set of information Identity providers can be trusted by SharePoint

SharePoint - Secure Token Service

• • • • Client (i.e. web browser accessing SharePoint) sends request to STS STS verifies identity by querying authentication provider STS issues “claim:, i.e. encrypted security token Client uses token to access SharePoint site

SharePoint 2010

• • • Authentication selected during web application creation Claims can also be enabled on existing site with PowerShell script Forms-based authentication now handled by claims authentication

SharePoint 2010

• • • Authentication settings now accessible through web application management ribbon Configurable for each zone Again, note that Windows, Forms and Identity trusts can be active for each zone

• • • • •

SharePoint 2013

Claims-based authentication is now default mode Classic is still supported (PowerShell), but deprecated Easier migration from classic to claims via use of Convert SPWebApplication cmdlet Login tokens cached in newly introduced Distributed Cache Service Support for OAuth (open standard for authorization) • • Server to Server authorization Authorize apps to access SharePoint resources

• •

Authentication Providers

Store of user authentication information (i.e., user name and password; roles, etc.) Basic steps for consuming Authentication provider (membership and roles) • Create or get a provider!

• Configure web.config to “register” the provider • • Web application • Central Administration site • Security Token Service site (allows the STS to query the auth provider during login process) Configure web application provider settings in Central Administration

“Built-In” .NET Provider

• • • • • Start with System.Web.Security built-in SQL-based authentication provider SqlMembershipProvider SqlRoleProvider Create database with aspnet_regsql.exe utility Configure users and roles with built-in configuration UI

Demo

Custom Authentication Provider

• • • • • • Create Visual Studio project Create 2 classes, respectively inheriting from: System.Web.Security.MembershipProvider

System.Web.Security.RoleProvider

Override required methods to implement custom behaviors Can add other classes as needed to integrate with member store

• • • • • •

Membership Provider Interfaces

Five required interface overrides in System.Web.Security.MembershipProvider

GetUser(System.String,System.Bool) GetUserNameByEmail(System.String) ValidateUser(System.String,System.String) FindUsersByEmail(System.String,System.Int32,System.Int32,Syste m.Int32) FindUsersByName(System.String,System.Int32,System.Int32,Syste m.Int32)

Role Interfaces

• • • • Two required interface overrides for Role provider System.Web.Security.RoleProvider

GetRolesForUser(System.String) RoleExists(System.String)

Demo

Trusted Identity Provider

• • Identity providers issue security token (claim) upon login Custom identity/claim providers can be implemented

Implementing an Identity Provider

• • Option 1 – procure one already built and install/configure it in the SharePoint farm. Active Directory Federation Services is an example Option 2 – build one!

Building an Identity Provider

• • • • • • Visual Studio - install Windows Identity Framework SDK SDK provides Visual Studio templates for creating IP Create provider Export certificate Register provider, claims, and certificate in SharePoint to create trust relationship.

PowerShell - New-SPTrustedIdentityTokenIssuer

Demo

Thanks to my buddy Liam Cleary’s blog: http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=17