Security Design with Claims Based Authentication
Download
Report
Transcript Security Design with Claims Based Authentication
Key Point: Federation relationships are based on trust
Incoming
Claims
Federation Gateway
Mapped
Claims
SharePoint
http://schemas.microsoft.com/.../role
http://schemas.xmlsoap.org/.../upn
http://schemas.xmlsoap.org/.../Group
http://schemas.microsoft.com/...
/authenticationinstant
http://schemas.xmlsoap.org/.../emailaddress
http://schemas.microsoft.com/.../groupsid
http://schemas.microsoft.com/... /authenticationmethod
Temporal
• Multiple, Unique,
Dynamic
• Single, Unique,
Static, Stable
• Single, Instance
specific, Dynamic
Identify Authentication and
provisioning
• AD
• ADFS
• Public (other)
Perform Claims Rationalization
(Families)
• ID’s
• Roles
• Groups
Define SharePoint Container Security
• Web App Policies
• Site Security
URL’s and Federation
Realms
Explicit Allow or Deny
• Web Application Policy on
zone
Explicit Allow
• SP Groups
• Direct Permission
Extranet with external
authentication
Audience: Private
Federation for Partners
(ADFS)
Audience: Consumer ID for
customers (Live, G.., FB)
• Internal authentication
• AD for corporate users (AD)
• Collaboration by Role
• Incoming Groups Mapped to Roles
• Separating by Roles (Sales, Legal and Portal Users)
• Read Only +
Private Federation with ADFS
Incoming
Claims
Federation Gateway
Mapped
Claims
SharePoint
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname
domain\saMAccountName
http://www.w3.org/2001/XMLSchema#String
Windows
i:0#.w|domain\sAMAccountName
1: “I” for
identity claim
(user unique
identifier)
3: Reserved as
0 (to enable
more claim
types in the
future)
4: Claim Type
encoded
value (#=User
Logon Name)
6: Issuer
W=Windows
Claim value
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
[email protected]
http://www.w3.org/2001/XMLSchema#String
TrustedProvider:fedpartner
i:0e.t|
1: “I” for
identity claim
(user unique
identifier)
|
3: Reserved as 4: Claim Type Original
6: IssuerIssuer
Type name: Name of Claim value
0 (to enable
encoded
T=Trusted role provider,
membership
more claim
value (e=UPN) name of trusted STS
types in the
future)
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://sharepoint.microsoft.com/claims/2009/08/isauthenticated
true
http://www.w3.org/2001/XMLSchema#String
SecurityTokenService
c:0(.s|
6: Issuer
1: C for Claim 3:4:Reserved
as
Claim
value
Claim Type encoded
value
S=SharePoint
STS
0(‘(‘(to=enable
IsAuthenticated)
more claim
types in the
future)
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://myschema.com/claims/2009/09/usertype
TrustedPartner
http://www.w3.org/2001/XMLSchema#String
TrustedProvider:fedpartner
:
C for Claim
3: Reserved as
0 (to enable
more claim
types in the
future)
|
|
Original
4: Claim
Issuer
Type
name: Name
6: Issuer
of TypeClaim value
membership
encoded value
role provider,
T=Trusted
name
(“Next”
of trusted
ASCIISTS
Char)
Extranet with external
authentication
Audience: Private
Federation for Partners
(ADFS)
Audience: Consumer ID for
customers (Live, G.., FB)
• Internal authentication
• AD for corporate users (AD)
• Collaboration by Role
• Incoming Groups Mapped to Roles
• Separating by Roles (Sales, Legal and Portal Users)
• Read Only +
Public Federation with Azure
Extranet with external
authentication
Audience: Private
Federation for Partners
(ADFS)
Audience: Consumer ID for
customers (Live, G.., FB)
• Internal authentication
• AD for corporate users (AD)
• Collaboration by Role
• Incoming Groups Mapped to Roles
• Separating by Roles (Sales, Legal and Portal Users)
• Read Only +
Custom Claims Provider
Extranet with external
authentication
Audience: Private
Federation for Partners
(ADFS)
Audience: Consumer ID for
customers (Live, G.., FB)
• Internal authentication
• AD for corporate users (AD)
• Collaboration by Role
• Incoming Groups Mapped to Roles
• Separating by Roles (Sales, Legal and Portal Users)
• Read Only +
• BONUS – FB Group Claim Provider
Incoming
Claims
Federation Gateway
Mapped
Claims
SharePoint
[email protected]
[email protected]