From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010

1. Required Slide SESSION CODE: OSP311 From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 Rick Taylor Senior Technical Architect Perficient, Inc.

2. Who Am I? • Who am I??? • Who am I ?????????? The Guardian of Lost Souls Rick Taylor The Powerful Slick Rick – if you’re nasty The Pleasurable The Indestructible

3. Introduction • Former Engineer with Platform Architecture Group in SharePoint Online • Contributing author on Microsoft Office SharePoint Server 2007 Administrator’s Guide • Connect w/ Rick on • Facebook • LinkedIn • Twitter • Spaces • TechNet

4. Agenda • Overview of Identities and Claims • What is Claims-based Identity? • A primer • Problem Spaces and Examples • Why is it important? • What does it do for me? • Why do I need it? • Upgrade Scenarios • Support Statements

5. Terminology • Claim • An assertion • Username • Email Address • Date of Birth • Security Token Service (STS) • A service that accepts requests and issues security tokens that contain claims • Identity Provider (IDP) • An issuer of a token • Relying Party (RP) • An application that uses Claims (Claims Aware)

6. Claims Primer • What is Identity? • Set of attributes to describe a user such as name, e-mail, age, group membership, etc. • Traverses the network as an array of bytes – referred to as a token • In a Claims-based scenario, the array of bytes carry Claims • What is a Claim? • Some authority that claims to have the attribute and its value

7. What is a Token? CLAIM = Email Address CLAIM = D.O.B CLAIM = Role TOKEN CLAIM = Given Name

8. Claims • Claims carry pieces of information about the user Token Name Age Location

9. Issuer • Tokens are issued by Security Token Service (STS) software • Identity providers can include Directory Services, Windows Live Id, etc.

10. Claims Primer - continued • What is the difference between a “claim” and an “attribute?” • Both Facebook & eHarmony have the age attribute • Facebook claims that I am 45, while eHarmony claims I am 29. • Authorization decisions may depend on the age attribute, your app needs to decide which “claim” you will trust. • Trust depends on scenario not on technical capability

11. Benefits • Applications can determine which Claims are required and which providers to trust • Provides multiple authentication scenarios on a single, unique namespace, i.e. http://sharepoint.contoso.com • Enable automatic and secure identity delegation within SharePoint • Seamless integration with external systems, i.e. Web Service calls

12. Problem Space • Sign-in • Retrieving identities, i.e. who are they • Services • Passing identities across boundaries, i.e. machines, Line of Business applications, etc.

13. Sign-in Scenarios • Sign-in to SharePoint with both Windows and LDAP directory Identity • Easily configure Intranet and Extranet users for Collaboration • Integrate with other customer identity systems (eg. ADFS, etc.) • Use Office Applications with non-Windows Authentication

14. Normalizing Identities Classic Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, etc. ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

15. Sign-in Process

16. End User Experience Classic Mode

17. End User Experience Claims Mode

18. Forms-based Authentication in SharePoint Server 2010 Rick Taylor Senior Technical Architect Perficient demo…well…sorta..but not really

19. Step 1

20. Step 2

21. Sign in page

22. Step 4

23. Needs Claims ID

24. Configuring Relying Party Trust

25. Getting Token Issuer Name

26. Validation using Claims Viewer Web Part

27. Claim Providers • Augmentation of Claims • Used to add application specific claims • SharePoint will authorize over these claims • Search and Resolve Claims • Provides a way to enumerate and select claims • SharePoint will present the claims in the User Experience

28. Office Applications • Office Client applications now support non-Integrated Windows Authentication • Office 2007 with Service Pack 2 on • Windows XP with Internet Explorer 8 • Windows Vista with Service Pack 2 or optionally with Internet Explorer 8 • Windows 7 • Office 2010 on • Windows XP with Internet Explorer 8 • Windows Vista with Service Pack 2 or optionally with Internet Explorer 8 • Windows 7

29. Mixed Mode and Multi-mode Authentication

30. Changes to Forms-based Authentication • Forms-based Authentication users become Claims Identities • Claims identities are created as opposed to ASP.Net Generic identities • Secure Token Service calls the membership provider to validate user and issues a Claims token • ValidateUser() must be implemented by membership providers • Roles are converted to Claims and captured in the SAML token

31. Services Scenarios • Surface additional information about a person or object without challenge (Intranet-specific scenario) • Surface inventory information through an Enterprise portal (Extranet or Intranet-specific scenario) • Deploy secure SharePoint environments for user identity delegation

32. Simple Web Part Process Scenario

33. Cross Boundary Services Process Scenario

34. Real World Concept

37. Code Snippet for Claims Viewer Web part using System; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using Microsoft.IdentityModel.Claims; namespace ClaimsViewerTest.VisualWebPart1 {     public partial class VisualWebPart1UserControl : UserControl     {         protected void Page_Load(object sender, EventArgs e)         {             IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;             IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;             GridView1.DataSource = claimsIdentity.Claims;             Page.DataBind();         }     } }

38. $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\[name_of_cert].cer") $map1 = New-SPClaimTypeMappinghttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming$realm = "urn:" + $env:ComputerName + ":adfs"$signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"$ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -Description "ADFS 2.0 Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

40. Upgrade Scenarios • Integrated Windows will not require rework • Forms-based Authentication and WebSSO scenarios will need Claims conversion

41. Upgrade issues • When you upgrade from MOSS to SharePoint 2010: • Error: • “Forms Based Authentication on classic Web application has been deprecated.” • Fix: • Step 1 $w = Get-SPWebApplication "http://webappurl/"$w.UseClaimsAuthentication = $true;$w.Update()$w.ProvisionGlobally()

42. Upgrade Issues - Continued • Step 2 • Remove the <clear/> element from the Membership and Role provider sections in the web.config of the {SharePoint Root}\WebServices\Root • (Only occurs in upgrade, not clean)

43. Upgrade Issues - Continued • Naming Convention Change • aspnetsqlmembershipprovider:username IS NOW • i:0#.f|aspnetsqlmembershipprovider|username • Use PowerShell to change the names of all the users

44. Upgrade Issues • Any custom applications, web parts or utilities that used the SSO service in 2007 may require a rewrite or update to the code to reflect these changes to the Secure Store Service • Microsoft.Office.SecureStoreService.Serverassembly found here: C:\Program Files (x86)\MSECache\oserver2010\Global\Search\osrchwfe.cab

45. Other “Gotchas” Receive Error – “Root of Certificate Chain is Not Trusted Root Authority” • Must export the ADFS Token Signing Certificate • Must add the ADFS Token Signing Certificate Root Authority to List of Root Authorities in SharePoint

46. Recommendations and tradeoffs for authentication methods

47. Recommendations and tradeoffs for authentication methods

48. Recommendations and tradeoffs for authentication methods

49. Supported Authentication Modes

50. Standards • WS-Federation 1.1 • WS-Trust 1.4 • SAML Token 1.1