Required Slide

Required Slide

Required Slide SESSION CODE: OSP 306 Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication Paul Schaeflein, MCT Manager of Advanced Technologies LaSalle Consulting Partners, Inc.

Agenda • Claims-Based Identity • Claims-Based Authorization • Claims Provider • Anonymous Access • Trusted Identity Providers

Claims-Based Identity

Claims-Based Identity primerIntroduction • What is Identity? A set of attributes to describe a user. • What is a Claim? Information such as name, e-mail, age, group membership, etc.

Claims-Based Identity primerIntroduction • What is Authentication (AuthN)? The process of verifying a user’s identity. • What is Authorization (AuthZ)? Determines which sites, content, and other features the user can access.

Claims-Based Identity primerUser Identity is a set of claims • Why do we say “claim” and not “attribute?” • Facebook & the Dept. of State have the age attribute • Facebook can claim 29 yrs, while State claims 46 yrs. • In order to make authorization decisions with age, your app needs to decide which “claim” you will trust. • Trust depends on scenario not on technical capability

Claims is more than Federation • Federation between organizations was the original driver • Over time, claims turned out to be useful for more than just Federation • Real Benefit: Cleanly factoring out the Identity Provider from the application is invaluable • SharePoint is Identity Provider neutral • Multi-auth web applications

Identity Normalization Anonymous User NT TokenWindows Identity SAML TokenLiveID, ADFS, Others ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

Multi-auth Web Applications

Claims-Based Identity Claims Viewer Web Part Multi-Auth web application DEMO

Claims Viewer Web Part

Claims Viewer Web Part IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims;

Claims-Based Authorization

Claims-Based Authorization • Available to securable objects thru People-Picker • Access Claims via IClaimsIdentity interface • Claims property contains all claims • Conditionally Display information • based on presence of claim • based on value of claim

People Picker

Claims-Based Authorization Select claim in People Picker Conditional information display DEMO

Conditional Information Display

Conditional Information Display IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; stringpmClaim = (from c inclaimsIdentity.Claims wherec.ClaimType == CLAIM_TYPE selectc.Value).FirstOrDefault(); boolauthorized = bool.Parse(pmClaim);

Custom Claims Provider

Custom SharePoint Claims Provider • Two roles • Claims Augmentation • Claims Picker • !! Not authentication !! (Use WIF classes for AuthN) • Usage Scenarios • List, Resolve and Search • AllUsers claim • Adding Claims to original token (claims augmentation) • Identity not from original token (map to internal identity)

Claims ProviderClaims Augmentation • Enables an application to augment additional claims into the user’s token • Implemented as a Claims Provider class • FillClaimsForEntity called by framework • Microsoft.SharePoint.Administration.Claims.SPClaimProvider • Register in Feature Event Receiver • Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver • MSDN Article by Steve Peschka: http://msdn.microsoft.com/en-us/library/ff699494.aspx

Claims ProviderClaims Picker • Provides Listing, Resolve, Search and Friendly display of claims in the People Picker • Implemented as a Claims Provider class • FillHierarchy, FillResolve, FillSearch called by framework • Microsoft.SharePoint.Administration.Claims.SPClaimProvider • Register in Feature Event Receiver • Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver • Claim Type and Values must match!

Custom Claims Provider Augment claims based on database values Resolve Claims in People Picker DEMO

FillClaimForEntity() method • Parameters • Context (URI) • Current user (userid claim) • Empty list to contain new claims • Called once per session • Token is passed as cookie once issued

CreateClaim() Parameters • claimTypeType: StringThe type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. • value Type: StringThe value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt. • valueType Type: StringThe type of value in the claim. These are all URIs that refer to a string.

ClaimValueTypes (selected)

Anonymous Access

Claims in Anonymous scenario • No Claims!

Establishing Anonymous Access • Web Application • Manage web application • Authentication Providers • Edit Zone • Allow Anonymous $wa = get-spwebapplication http://cba.sharepointdevelopers.net $zone = [Microsoft.SharePoint.Administration.SPUrlZone]::Custom $i = $wa.IisSettings[$zone] $i.AllowAnonymous = $true $wa.Update() $wa.ProvisionGlobally()

Establishing Anonymous Access • Site (SPWeb) • Site Actions -> Site Permission • Anonymous Access • Nothing [AnonymousState.Disabled] • Entire site [AnonymousState.On] • Lists and Libraries [AnonymousState.Enabled] $w = Get-SPWeb http://www.sharepointdevelopers.net/blogs $w.AnonymousState = [Microsoft.SharePoint.SPWeb+AnonymousState]::On $w.Update()

Establishing Anonymous Access • List • List Settings • Anonymous Access $w = get-spweb http://www.sharepointdevelopers.net/blogs/paul $l = $w.Lists["Comments"] $l.AnonymousPermMask64 = {BasePermissions as appropriate}

Trusted Identity Providers

Trusted Identity Providers • Install the certificate chain in SharePoint • Does not rely on the server! • Define unique identifier (map claim types) • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress • Set login url • Provide identifying information (realm) • Used by IP-STS to look up your return url

Trusted Identity Providers • Active Directory Federation Services (ADFS) • Previously known as “Geneva server” • Windows Live ID • Open ID

ADFS 2.0 • Separate Download • http://www.microsoft.com/adfs2 • Identity across organizational boundaries • Attribute stores • Active Directory • Others

Windows Live ID • Extract X509 Cert from metadata • Set Return URL to _trust/default.aspx • Watch TechNet for further information

Open ID • Must be “Translated” into SAML Claims • WIF code • Pioneering work • MatiasWoloski • http://blogs.southworks.net/mwoloski/2009/07/14/openid-ws-fed-protocol-transition-sts/ • Travis Nielsen • https://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=34 • Many OpenID Providers • http://openid.net/get-an-openid/

Trusted Identity Providers Demo

Get the slides and code • http://sharepoint.mindsharpblogs.com/Paul/TechEd2010

Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • Breakout Sessions – See Conference Guide for full list of OSP Track Sessions • Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT • Hands-on Labs – OSP01-HOL – OSP20-HOL • Product Demo Stations: Yellow Section, OSP • Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks & demos

Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Track Resources For More Information: http://sharepoint.microsoft.com • SharePoint Developer Center: http://msdn.microsoft.com/sharepoint SharePoint Tech Center: http://technet.microsoft.com/sharepoint Official SharePoint Team Blog: http://blogs.msdn.com/sharepoint

Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

Required Slide Complete an evaluation on CommNet and enter to win!

Play the Microsoft Office & SharePoint Track Tag Contest Download the Microsoft Tag Reader Open the internet browser on your mobile phone and visit http://gettag.mobi Grand Prize (1) Xbox 360 Prize Package and Microsoft® Office 2010 Daily Prizes 40 copies of Microsoft® Office 2010 Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags from all OSP Track Sessions, Speakers and Expo Hall!

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Required Slide

Required Slide

Presentation Transcript

Required Slide

Required Slide

Required Slide

Required Slide

Required Slide

Required Slide

Required Slide

Required Slide

Required Slide

Required Text

Required Text

Required Text

Required Slide

Required Recommended

required

Required Text

Required Text

Required Text

Required Text

May Use Organization Required Slide Here

Required Text

Required Text