Transcript Shibboleth intégration avec Sharepoint, .Net

Jean Marie THIA
SAML 2.0 @ WORK
WITH SHAREPOINT, OWA, …
TF-EMC2 | Lyon - France | February 2011
Agenda
•
•
•
•
1 - Demonstrations
2 - Explanations
3 - Story
Questions
1 : Authentication
• Connect to a web application
• Connect to Sharepoint
• Connect to Outlook Web Access
1 : SharePoint authZ
• A MS Word use case
– From the desktop
– From SharePoint
• Set authorization in SharePoint
Explanations
2 : SharePoint
ADFS 2.0
SAML 2.0
SharePoint
STS
WS Fed.
2 : Outlook Web Access
SAML 2.0
ADFS 2.0
Mapping
C2WTS
Kerberos
2 : ADFS manipulation
• Map shibboleth attribute
• Map OWA user
Story
Claim based access control
microsoft.identityModel
3 : WIF
• Core claims API (microsoft.identityModel)
• SAML Token
• WS Federation protocol
• SAML 2.0 protocol with Safewhere
http://safewhere.net/products/saml-20-for-wif.aspx
3 : WIF compatibility
• IsInRole works ( web.config declaration )
3 : WIF programming
IClaimsIdentity id =((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];
// you can use a simple foreach loop to find a claim...
string usersEmail = null;
foreach (Claim c in id.Claims)
{
if (c.ClaimType == System.IdentityModel.Claims.ClaimTypes.Email)
{
UsersEmail = c.Value;
break;
}
}
// you can also use LINQ to find a claim
string usersFirstName = (from c in id.Claims
where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.GivenName
select c).First().Value;
3 : ADFS 2.0
• Uses SAML 2.0 Protocol
– Liberty alliance IdP Lite
– Liberty alliance SP Lite
– eGov SAML 2.0 Profile v1.5
• Uses WS-* Protocol
• Interoperate with Oracle, CA, SUN, Shibboleth,
PingIdentity, …
• Is a separate download !
3 : ADFS 2.0 architecture
Account & Attribute
Stores
Configuration
Database
3 : Terminologies
AD FS 2.0
SAML 2.0
Security Token
Assertion
Claims
Assertion Attributes
Claims Provider
Identity Provider
Relying Party
Service Provider
Realm Home Discovery (RHD)
Security Token Service (STS)
3 : Azure ACS
• ADFS for the cloud
• Extended interoperability (Oauth, openID,
google, facebook, etc.)
Conclusion
• +
– Many guides.
– AuthZ with claims augmentation.
– Claims compatibility with old code.
• – Federation metadata
ADFS v2 - Guides
• Sharepoint 2010
Federated Collaboration with Shibboleth 2.0 and
SharePoint 2010 Technologies
http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx
• Outlook Web Access 2010
Exposing OWA 2010 with AD FS 2.0 to other
organizations
http://www.microsoft.com/france/interop/ressources/documents.aspx
• In Common
AD FS 2.0 Step-by-Step Guide: Federation with
Shibboleth 2 and the InCommon Federation
http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx
Webcast
• Architecting claims-aware application
http://www.msteched.com/2010/Europe/ARC303
• From N to Z: Authentication and Authorization
in Microsoft SharePoint Server 2010
http://www.msteched.com/2010/NorthAmerica/OSP311
• Developing Microsoft SharePoint Server 2010
Solutions with Claims Authentication
http://www.msteched.com/2010/NorthAmerica/OSP306
• http://channel9.msdn.com/
Links at Microsoft
• Patterns & Practices
A guide to claims-based to Identity and Access Control
http://msdn.microsoft.com/en-us/library/ff423674.aspx
• MSDN
WIF : http://msdn.microsoft.com/en-us/library/ee748484.aspx
C2WTS : http://msdn.microsoft.com/en-us/library/ee517278.aspx
IdM : http://msdn.microsoft.com/en-us/security/aa570351.aspx
• ADFS 2.0 on Technet
http://technet.microsoft.com/en-us/library/adfs2(v=WS.10).aspx
Questions ?
[email protected]
twitter.com/jm_thia
Thanks
for your attention