Extending Authentication and Authorization

Edin Kapić

Edin Kapić• SharePoint Senior Architect &

Team Lead in Sogeti, Barcelona• President of SharePoint User

Group Catalonia (SUG.CAT)• Writer at Pluralsight• SharePoint Server Office

Servers and Services MVP• Tinker & geek

Email : mail@edinkapic.comTwitter : @ekapic

LinkedIn : edinkapic

Agenda• SharePoint, Authentication and Authorization• Claims• Claims-based Authentication• Claims-based Authorization• Claims Augmentation and Transformation• Claims Providers

• Federated Authentication

SharePoint, Authentication & Authorization

SharePoint Web App

Authentication Provider

SPUser

Site Collection

Site

SPRoleAssignment

Authentication

Authorization

SharePoint Authentication• SharePoint doesn’t authenticate by

itself

• It keeps user details in the user profile database and user information lists in each site collection

SharePoint Authorization• Associated with principals• Authenticated users• Groups (SharePoint or AD)• Claims• App Add-in identities

SharePoint 2013 Authentication Options• “Classic” Windows• Deprecated

• Claims-based• Windows tokens• FBA• SAML 1.1

Windows NTLM Token

Windows NTLM Token

FBA User

SAML 1.1 Token

SAML Token

SPUser

App Add-In Authentication• Add-ins have identity and can be assigned permissions• Add-ins are principals, together with users and groups

• Add-in identity vs User identity

• Add-ins use OAuth to authenticate• Low-trust add-ins use 3-legged OAuth (with ACS broker)• High-trust add-ins use self-signed tokens

Claims• A claim is a piece of your identity, claimed by some authority• Claims are received upon presenting credentials to a claims provider• Claims providers are trusted• Examples• Employee badge

• Name, department, clearance• Boarding passes

• Flight, seat, class, name• Paper Wristbands

• Ticket type, extra services

Real-world Claims

Identity Claims

Specific Claims

Claims encoded and signed

Thanks to Spencer Harbar for the original idea

SharePoint ClaimsClaim Type Claim Value Issuer Original Issuerhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

demo\ekapic SharePoint SharePoint

http://schemas.xmlsoap.org/ws/2008/06/identity/claims/primarysid

S-1-5-21-4067827123-213488314-8760374-513

SharePoint Windows

http://schemas.xmlsoap.org/ws/2005/05identity/claims/upn

ekapic@demo.local SharePoint Windows

http://schemas.microsoft.com/sharepoint/2009/08/claims/userid

0#.w|demo\ekapic SharePoint SecurityTokenService

Claims Authentication• SharePoint augments and transforms the incoming claims to a

normalized claims identity• Can be done by more than one claims provider• Decouples the authentication method from the user identity

• For Windows incoming claims, there is a C2WTS (Claims to Windows Token Service) inside SharePoint 2013 to allow converting claims back into Windows identities

Claims Authorization• Any claim can be used as a

security principal in SharePoint• Flexible alternative to security

groups• Claims can be surfaced by the

identity token service or custom claims provider in People Picker

Claim Providers• Augment and surface the claims for People Picker• Can be generic or bound to a Trusted Identity Provider

• Inherits from SPClaimProvider abstract class

Claims Augmentation and SurfacingDesired claim provider feature ImplementsClaims augmentation FillClaimsForEntity

SupportsEntityInformationClaims surfacing in People Picker FillSchema

FillClaimTypesFillClaimValueTypesFillEntityTypes

Claims hierarchy in People Picker left side FillHierarchySupportsHierarchy

Resolving typed claims in People Picker FillResolveSupportsResolve

Searching for claims in People Picker FillSearchSupportsSearch

DEMO

Custom Claim Provider

Federated Authentication• When the identity provider (IdP) is distinct from Windows (or FBA),

we have federated authentication• Third-party Secure Token Service (STS) issues a security token with

claims• This token is trusted by “clients” (Relying Parties, RP) as the STS is

trusted by them• Tokens are digitally signed

Federated Authentication• ID cards or passports are

real-world examples of federated authentication

Federated Identity Providers• Microsoft Active Directory Federation

Services (ADFS)• Microsoft Azure Active Directory• Thinktecture IdentityServer• Shibboleth• IBM Federated Identity Manager• ...

Active Directory Federation Services (ADFS)• Part of Windows Server

features• Can transform AD into a

federated IdP• Doesn’t manage users

directly, but claims, identity providers and relying parties

Azure Active Directory (AAD)• “AD and ADFS in the cloud”• Part of Azure / Office 365 offering• Underpins the most of the Office

365 / Azure hybrid architectures

Thinktecture IdentityServer• Open-source IdP based on .NET and Windows Identity Framework• Modular architecture

DEMO

Federated Authentication with ADFS

Summary• Claims-based identity and authorization are the only way forward, so

make sure that you understand them well

• You can decouple user authentication from the user identity

• You can extend your user identity with additional claims

• You can get your user identity from somewhere else

Further Reading• Steve Peschka’s blog https://samlman.wordpress.com • Kirk Evans’ blog http://blogs.msdn.com/b/kaevans/

• A Guide to Claims-Identity and Access Control https://msdn.microsoft.com/en-us/library/ff423674.aspx

Thank you!

Tack så mycket!