Post on 09-Jan-2017
Extending Authentication and Authorization
Edin Kapić
Edin Kapić• SharePoint Senior Architect &
Team Lead in Sogeti, Barcelona• President of SharePoint User
Group Catalonia (SUG.CAT)• Writer at Pluralsight• SharePoint Server Office
Servers and Services MVP• Tinker & geek
Email : mail@edinkapic.comTwitter : @ekapic
LinkedIn : edinkapic
Agenda• SharePoint, Authentication and Authorization• Claims• Claims-based Authentication• Claims-based Authorization• Claims Augmentation and Transformation• Claims Providers
• Federated Authentication
SharePoint, Authentication & Authorization
SharePoint Web App
Authentication Provider
SPUser
Site Collection
Site
SPRoleAssignment
Authentication
Authorization
SharePoint Authentication• SharePoint doesn’t authenticate by
itself
• It keeps user details in the user profile database and user information lists in each site collection
SharePoint Authorization• Associated with principals• Authenticated users• Groups (SharePoint or AD)• Claims• App Add-in identities
SharePoint 2013 Authentication Options• “Classic” Windows• Deprecated
• Claims-based• Windows tokens• FBA• SAML 1.1
Windows NTLM Token
Windows NTLM Token
FBA User
SAML 1.1 Token
SAML Token
SPUser
App Add-In Authentication• Add-ins have identity and can be assigned permissions• Add-ins are principals, together with users and groups
• Add-in identity vs User identity
• Add-ins use OAuth to authenticate• Low-trust add-ins use 3-legged OAuth (with ACS broker)• High-trust add-ins use self-signed tokens
Claims• A claim is a piece of your identity, claimed by some authority• Claims are received upon presenting credentials to a claims provider• Claims providers are trusted• Examples• Employee badge
• Name, department, clearance• Boarding passes
• Flight, seat, class, name• Paper Wristbands
• Ticket type, extra services
Real-world Claims
Identity Claims
Specific Claims
Claims encoded and signed
Thanks to Spencer Harbar for the original idea
SharePoint ClaimsClaim Type Claim Value Issuer Original Issuerhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
demo\ekapic SharePoint SharePoint
http://schemas.xmlsoap.org/ws/2008/06/identity/claims/primarysid
S-1-5-21-4067827123-213488314-8760374-513
SharePoint Windows
http://schemas.xmlsoap.org/ws/2005/05identity/claims/upn
ekapic@demo.local SharePoint Windows
http://schemas.microsoft.com/sharepoint/2009/08/claims/userid
0#.w|demo\ekapic SharePoint SecurityTokenService
Claims Authentication• SharePoint augments and transforms the incoming claims to a
normalized claims identity• Can be done by more than one claims provider• Decouples the authentication method from the user identity
• For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities
Claims Authorization• Any claim can be used as a
security principal in SharePoint• Flexible alternative to security
groups• Claims can be surfaced by the
identity token service or custom claims provider in People Picker
Claim Providers• Augment and surface the claims for People Picker• Can be generic or bound to a Trusted Identity Provider
• Inherits from SPClaimProvider abstract class
Claims Augmentation and SurfacingDesired claim provider feature ImplementsClaims augmentation FillClaimsForEntity
SupportsEntityInformationClaims surfacing in People Picker FillSchema
FillClaimTypesFillClaimValueTypesFillEntityTypes
Claims hierarchy in People Picker left side FillHierarchySupportsHierarchy
Resolving typed claims in People Picker FillResolveSupportsResolve
Searching for claims in People Picker FillSearchSupportsSearch
DEMO
Custom Claim Provider
Federated Authentication• When the identity provider (IdP) is distinct from Windows (or FBA),
we have federated authentication• Third-party Secure Token Service (STS) issues a security token with
claims• This token is trusted by “clients” (Relying Parties, RP) as the STS is
trusted by them• Tokens are digitally signed
Federated Authentication• ID cards or passports are
real-world examples of federated authentication
Federated Identity Providers• Microsoft Active Directory Federation
Services (ADFS)• Microsoft Azure Active Directory• Thinktecture IdentityServer• Shibboleth• IBM Federated Identity Manager• ...
Active Directory Federation Services (ADFS)• Part of Windows Server
features• Can transform AD into a
federated IdP• Doesn’t manage users
directly, but claims, identity providers and relying parties
Azure Active Directory (AAD)• “AD and ADFS in the cloud”• Part of Azure / Office 365 offering• Underpins the most of the Office
365 / Azure hybrid architectures
Thinktecture IdentityServer• Open-source IdP based on .NET and Windows Identity Framework• Modular architecture
DEMO
Federated Authentication with ADFS
Summary• Claims-based identity and authorization are the only way forward, so
make sure that you understand them well
• You can decouple user authentication from the user identity
• You can extend your user identity with additional claims
• You can get your user identity from somewhere else
Further Reading• Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/
• A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en-us/library/ff423674.aspx
Thank you!
Tack så mycket!