Transcript OSP431 ClaimType = Value ClaimType = Value OUT Incoming Claims Mapped Claims Augmentation Federation Gateway SharePoint Key Point: Federation relationships are based on trust.

OSP431
ClaimType = Value
ClaimType = Value
OUT
Incoming
Claims
Mapped
Claims
Augmentation
Federation Gateway
SharePoint
Key Point: Federation relationships are based on trust
Encoded Claim
DisplayName
MappedClaimType
Encoded String
Authentication method
http://.../authenticationmethod
c:0ǹ.t|testadfs|authentication method
ASCII Decimal Code 504
E-Mail Address
http://schemas.xmlsoap.org/.../emailaddress
c:05.t|testadfs|e-mail address
Reserved Claim Type
Primary SID
http://schemas.microsoft.com.../primarysid
c:0).t|testadfs|primary sid
Reserved Claim Type
Windows account name
http://.../windowsaccountname
c:0ǻ.t|testadfs|windows account name
ASCII Decimal Code 507
'!'
'"'
'#'
'$'
'%'
=
=
=
=
=
'&' =
'\'' =
'(' =
')'
=
'*'
=
'+' =
SPClaimTypes.IdentityProvider
'0'
SPClaimTypes.UserIdentifier
'1'
SPClaimTypes.UserLogonName
'2'
SPClaimTypes.DistributionListClaimType
'3'
SPClaimTypes.FarmId
'4'
"http://schemas.microsoft.com/sharepoint/2009/0
8/claims/processidentitysid"
'5'
"http://schemas.microsoft.com/sharepoint/2009/0
8/claims/processidentitylogonname"
'6'
SPClaimTypes.IsAuthenticated
'7'
"http://schemas.microsoft.com/ws/2008/06/identit
y/claims/primarysid"
'8'
"http://schemas.microsoft.com/ws/2008/06/identit
y/claims/primarygroupsid"
'9'
"http://schemas.microsoft.com/ws/2008/06/identit
y/claims/groupsid"
'<'
"http://schemas.microsoft.com/ws/2008/06/identit
y/claims/role"
'='
ClaimTypes.Anonymous
'>'
'-'
'.'
=
=
'/'
= ClaimTypes.Authentication
=
=
=
=
=
ClaimTypes.AuthorizationDecision
ClaimTypes.Country
ClaimTypes.DateOfBirth
ClaimTypes.DenyOnlySid
ClaimTypes.Dns
'['
'\\'
']'
'^'
'_'
=
=
=
=
=
ClaimTypes.PostalCode
ClaimTypes.PPID
ClaimTypes.Rsa
ClaimTypes.Sid
ClaimTypes.Spn
= ClaimTypes.Email
'`' = ClaimTypes.StateOrProvince
= ClaimTypes.Gender
= ClaimTypes.GivenName
'a' = ClaimTypes.StreetAddress
'b' = ClaimTypes.Surname
= ClaimTypes.Hash
'c' = ClaimTypes.System
= ClaimTypes.HomePhone
'd' = ClaimTypes.Thumbprint
= ClaimTypes.Locality
'e' = ClaimTypes.Upn
= ClaimTypes.MobilePhone
= ClaimTypes.Name
'f' = ClaimTypes.Uri
'g' = ClaimTypes.Webpage
'?' = ClaimTypes.NameIdentifier
'@' = ClaimTypes.OtherPhone
'h' = SPClaimTypes.ProviderUserKey
Demo
From/To
Classic
Windows Claims
FBA
SAML Claims
Classic




Windows Claims












FBA
SAML Claims
 = Requires IMigrateUserCallBack
Code Snippets
Create an admin claim
for myself
Let me in after the
migration
Do the migration
Do the migration but pass the
assembly reference
Using …
using Microsoft.SharePoint.Administration.Claims;
public class SAMLMigrationCallback : IMigrateUserCallback
{
public string ConvertFromOldUser(string previousUserAccount, SPWebApplication.AuthenticationMethod previousAuthType, bool isGroup)
{
string newUserId = previousUserAccount;
SPClaim migratedUserClaim = null;
switch (previousAuthType)
{
case SPWebApplication.AuthenticationMethod.Windows:
{
migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup);
break;
}
case SPWebApplication.AuthenticationMethod.Claims:
{
migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup);
break;
}
case SPWebApplication.AuthenticationMethod.Forms:
SPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup)
{
{
//code for converting from Forms would be here
SPClaim migratedClaim = null;
break;
return migratedClaim;
}
}
}
if (migratedUserClaim != null)
SPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup)
{
{
newUserId = migratedUserClaim.ToEncodedString();
SPClaim migratedClaim = null;
}
return newUserId ;
}
}
}
//migrating from Windows claims to SAML claims
return migratedClaim;
string previousUserAccount, bool isGroup)
{
SPClaim migratedClaim = null;
SecurityIdentifier curSid = new SecurityIdentifier(previousUserAccount);
//Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330
if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) ||
curSid.IsWellKnown(WellKnownSidType.LocalSystemSid))
{
return migratedClaim;
}
else
{
if (isGroup)
{
string oldNtId = translateSidToName(previousUserAccount);
if (oldNtId != null)
{
//Migrate Groups
Group SIDS
migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount);
}
Names ??
}
else
{
migratedClaim = generateUserIdClaimFromNtId(oldNtId);
}
}
return migratedClaim;
}
vs
{
string previousUserAccount, bool isGroup)
SPClaim migratedClaim = null;
//Migrating from Windows claims to SAML claims - create a claim from the identifier so we can see if the original issuer came from Windows
SPClaim idClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim);
//this is a Windows claims user, and we are going to convert to a SAML claims user ID format
if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer))
{
//windows claims users will be in the format domain\user windows claims groups will be in the SID format
if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName))
{
migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim);
}
else if (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid))
{
//Group SID or Group Name???
migratedClaim = generateSAMLGroupClaim(idClaim.Value, SourceAccountType.WindowsClaim);
}
}
}
return migratedClaim;
SPClaim generateSAMLClaimFromNtId(string winClaimId)
{
SPClaim migratedClaim = null;
//Create the proper SAML ID Claim for the old windows claim user
return migratedClaim;
}
SPClaim generateSAMLGroupClaim(string groupClaim, bool isGroup)
{
SPClaim migratedClaim = null;
//Create the proper SAML ID Group claim for the old windows claim group
return migratedClaim;
}
Sharing Token
Claim
Demo
* http://blogs.technet.com/b/speschka/archive/2011/03/29/how-to-get-all-user-claims-at-claims-augmentation-time-insharepoint-2010.aspx
http://europe.msteched.com
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
http://europe.msteched.com/sessions