Transcript Facebook LinkedIn Twitter Spaces TechNet • What is Identity? • What is a Claim? Claim Claim Name Age Location Claim Claim Signature.

Facebook
LinkedIn
Twitter
Spaces
TechNet
• What is Identity?
• What is a Claim?
Claim
Claim
Name
Age
Location
Claim
Claim
Signature
claims
claims
http://sharepoint.contoso.com
Classic
Claims
Trust
3
he
ut
A
SharePoint
n
ec
S
io
at
ic
nt
4
R
st
en
k
to
ue
ity
eq
ur
Identity Provider
Security Token Service
(IP-STS)
5
6
Active Directory
ASP.net
Membership
Client
SAML
Based
Claims
Providers
Security token response
1
2
LiveID
Service token request
Auth
en
Requ
ticate
e st R
eso
Requ
SharePoint
STS
Trust
urce
est/R
e d i re
ct
7 Request Resource with
service token
SharePoint
Authorization
Classic Mode
Claims Mode
Mixed Authentication
Multi-Authentication
SharePoint
Farm
SharePoint
Farm
Web Application
Zone: Default
Windows
Authentication
Extended Web Application
Zone: Extranet
...
SAML Based Authentication
FBA Authentication
Zone: Intranet
Windows Authentication
Extended Web Application
...
Extended Web Application
Zone: Custom
Zone: Extranet
Extended Web Application
Extended Web Application
Zone: Internet
Windows Authentication
FBA Authentication
Extended Web Application
FBA
Authentication
Extended Web Application
Zone: Intranet
Web Application
Zone:
Default
Regular label-callout
text
Zone: Internet
...
Extended Web Application
...
Zone: Custom
...
SharePoint
LOB
Trust
SP STS
5
2
Virtual List
WebPart
1
LOB /
Data Source
3
7
4
6
Web Service
BCS
Internet
Trust
Trust
Enterperise
STS
Virtual List
WebPart
1
3
Enterprise
STS
6
4
LOB /
Data Source
8
5
2
7
SP STS
BCS
WCF
Web Service
using System;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using Microsoft.IdentityModel.Claims;
namespace ClaimsViewerTest.VisualWebPart1
{
public partial class VisualWebPart1UserControl : UserControl
{
protected void Page_Load(object sender, EventArgs e)
{
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
Page.DataBind();
}
}
}
$cert = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2
("c:\[name_of_cert].cer")
$map1 = New-SPClaimTypeMapping
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailadd
ress
-IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm = "urn:" + $env:ComputerName + ":adfs"
$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" Description "ADFS 2.0 Federated Server" -Realm
$realm -ImportTrustCertificate
$cert -ClaimsMappings
$map1 -SignInUrl
$signinurl -IdentifierClaim
$map1.InputClaimType
“Root of Certificate Chain is Not Trusted Root Authority
Authentication method
Advantages and recommendations
Tradeoffs
•Authenticate by using your existing Active
Directory accounts.
•Simplify user management.
Windows Classic
•Take advantage of Active Directory groups
when configuring SharePoint Server 2010
authorization.
•Avoid writing custom code.
Some IIS authentication protocols are not
supported by all Web browsers.
Authentication method
Advantages and recommendations
Claims
Claims authentication is implemented
assertions that are encapsulated in
security tokens that determine if a user is
permitted to access resources. They can
be a user name, a role, employee ID, etc.
to determine authorization and
permission levels.
Tradeoffs
Configuration and management
requires additional planning and
training.
Authentication method
Advantages and recommendations
Tradeoffs
•Set up SharePoint Server 2010 in an
environment that does not use AD DS (does not
require Windows accounts).
•Requires customization of the Web.config file.
Forms-based authentication
•Authenticate against two or more different
identity management systems when creating
partner applications.
•Implement a custom authentication scheme
using arbitrary criteria.
•Authenticate users coming from the Internet.
•Subject to replay attacks for the lifetime of the
cookie, unless using SSL Transport Layer
Security (TLS).
Mode
Windows Classic
Anonymous
FBA Claims
Windows Classic + FBA Claims
Anonymous + FBA Claims
SAML Claims
Windows Claims
Windows Claims + FBA Claims
#SPIdentity
SharePoint Server 2010 Beta
SharePoint Server 2010 IT
Professional Evaluation Guide
Plan Authentication Methods (SharePoint Server 2010) on TechNet
Configure Forms-based Authentication for a Claims-based Web
Application
Configure the Security Token Service
SharePoint and Claims-based Identity
A Guide to Claims-Based Identity and Access Control
Claims-Based Identity for Windows
Setting up a lab environment with ADFS
ADFS Resource Center
http://sharepoint.microsoft.com
http://msdn.microsoft.com/sharepoint
http://technet.microsoft.com/sharepoint
http://blogs.msdn.com/sharepoint
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Sign up for Tech·Ed 2011 and save $500
starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registration
Join us in Atlanta next year
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname
http://www.w3.org/2001/XMLSchema#string
Create a SPAuthenticationProvider as ASP.NET Membership Provider and
Web Application
$provider = New-SPAuthenticationProvider ASPNETMembershipProvider "LdapMember" ASPNETRoleProviderName "LdapRole“
$webApp = New-SPWebApplication -Name "Claims" ApplicationPool "Claims Application Pool" ApplicationPoolAccount "CONTOSO\administrator"
-Url http://claims.contoso.com -Port 80 AuthenticationProvider $provider
Create a new SPClaimsPrinciple and Site Collection
$principal = New-SPClaimsPrincipal -Identity
"membership:SiteOwner" -IdentityType FormsUser
$site = New-SPSite http://servername:port -OwnerAlias
$principle.ToEncodedString() -Template "STS#0"