Binh Thanh Nguyen

Solutions Architect and Project Manager

Bamboo Solutions Corporation Vietnam

• Identity and Identity Providers

• Authentication and Authorization

• Identity challenges in SharePoint 2007

• Claims-Based Identity

• Claims-Based Authentication in

Microsoft SharePoint 2010

• Demo

• Q&A

• What is Identity?

– A set of attributes to describe a user

• What is Identity Providers?

– Composed of attributes/identifiers

• Examples:

– Active Directory, Directory Services

• What is Authentication (AuthN)?

–Authentication is the process of

identification and validation of a

user's identity

• What is Authorization (AuthZ)?

–Determines whether that identity

has access to a particular resource such as sites, content, and other

features the user can access.

• Authentication is intertwined within

SharePoint 2007

• Very Complex in doing the

configuration

• Access control only through

attribute providers

So… What is the SOLUTIONS ???

• What is Claims?

– Information

about the user

… such as Full

name, e-mail,

age, group,

etc.

Issuer: Police

Dept.

Issuer: VN

Railway

Full Name Name

ID Number Frequent flyer

number

Address Train number

Regional Bus

Date of birth Seat number

Date of issue Date of issue

Sex

Picture

Trust

Request

ID C

ard

IDC

ard

ID

Card

Tic

ket

Tic

ket

• The service component that builds, signs, and issues security tokens.

• Supports multiple credential types

• Identity Provider STS (IP-STS) and a Relying Party STS(RP-STS).

–An IP-STS is an STS that issues tokens that can be used to request service tokens from RP-STSs.

–An RP-STS can also consume other types of tokens (or credentials), for example an NT token that comes from the domain controller or the (KDC)

• STSs can be chained

• SharePoint STS is always relying party STS

Built on Windows Identity Foundation

(WIF)

• Multiple authentication types

• Identity Provider neutral

–Configured via Central Admin or

PowerShell

• Delegation of user identity between

applications.

Auth

enticate

Issue t

oken S

end to

ken

Issue to

ken

Send to

ken

Send C

ookie

Browser Issuer Active Directory Get /

302

AuthN

SAML Token

Post

Process Token Cookie

Cookie

Process Claims 302

-Classic -Claims

• Support existing identity infrastructure

–Active Directory

– LDAP, SQL

–WebSSO and Identity Management Systems

• Multiple authentication methods per SharePoint Web Application

• Enable automatic, secure identity delegation

–Cross-machines & cross-farm

• Support “no-credential” connections to External web services

• Standards-based and Interoperable

Configure claims-based authentication

using Windows Live ID

• MSDN and Technet: – http://technet.microsoft.com/en-

us/library/ff973117.aspx#section3

– http://blogs.technet.com/b/ritaylor/archive/2009/06/03/claims-based-authentication-an-overview.aspx

– http://technet.microsoft.com/en-us/sharepoint/ff678022.aspx#lesson2

– http://blogs.msdn.com/b/russmax/archive/2010/05/27/understanding-sharepoint-2010-claims-authentication.aspx

• Microsoft PDC: – http://www.microsoftpdc.com/2009/SVC26

THANK YOU!