210 likes | 488 Vues
OFS308 Deploying Microsoft SharePoint Server 2010 with Claims Authentication. Wouter van Vugt SharePoint Fellow. Objectives. Learn how to configure a SharePoint site to use SAML claims and federated authentication Learn how to use ADFS v2 as the identity provider. Agenda.
E N D
OFS308Deploying Microsoft SharePoint Server 2010 with Claims Authentication Wouter van Vugt SharePoint Fellow
Objectives • Learn how to configure a SharePoint site to use SAML claims and federated authentication • Learn how to use ADFS v2 as the identity provider
Agenda • Setting up claims authentication end-to-end • Understanding SharePoint limits • Troubleshooting your claims • Integrating with Windows Live ID
Terminology • Issuer • Security Token Service (STS) • Identity Provider (IP) • Application • Relying Party(RP) • Service Provider (SP) • User • Subject • Principal • Browser • Passive Client
Windows and Forms authentication • Based in ASP.NET • Only allows either Windows, or Forms • Expand Web Application to a new zone • https://external.partner.contoso.com (external) • http://partners (internal) • Different coding model • WindowsIdentity.GetCurrent() • FormsAuthentication.RedirectFromLoginPage • Difficult to configure Forms authentication in SharePoint • Configure Central Admin plus Web Application • Need password reminder, recovery, change, etc...
Signing in with Windows Authentication Wouter van Vugt SharePoint Fellow demo
Claims Authentication • Configured on a per Web Application level • Use PowerShell to add new Issuers • Map issuer claims to application claims • Map the identity claim • Trust the issuer’s certificate • Windows Authentication and Forms are default Issuers
Components of a claims enabled web site External Issuer SharePoint Issuer Page
Signing in with Claims Authentication Wouter van Vugt SharePoint Fellow demo
Configuring new Issuers in SharePoint • New-SPTrustedRootAuthority • New-SPTrustedIdentityTokenIssuer • Use SelfSTS as a quick and dirty issuer
Configuring Issuers Wouter van Vugt SharePoint Fellow demo
Configuring ADFS • Create new Relying Party Trust • ADFS v2.0 Profile • Ensure to use the _trust endpoint • Set the realm to a sensible value: urn:my:value
Configuring ADFS Wouter van Vugt SharePoint Fellow demo
Limits with Token Signing Certs • A token signing cert can only be used with ONE trusted identity token issuer • ADFS only supports ONE primary token signing certificate • In ADFS, the realm is how ADFS determines where it should redirect after authentication • The trick is to use multiple realms with the trusted identity token issuer • The Url associated with the realm is how SharePoint knows what realm to send at auth time
Limits with Claim Mappings • Claim mappings are currently immutable • If you decide you want to capture additional claims, you can’t change the claims collection the SPTrustedIdentityTokenIssuer uses • Only choice for now is to delete and recreate the token issuer
Limits with People Picker • Resolve everything • Resolve per mapped claim • No guarantees on correctness of data
Troubleshooting Claims • Folks, it’s hard • Difficult to determine claims received from Issuer • Difficult to determine faulty component
Integrating with Windows Live • Just another Issuer • Sign up at https://msm.live.com/wizard/default.aspx?wa=wsignin1.0
Session Evaluations Tell us what you think, and you could win! All evaluations submitted are automatically entered into a daily prize draw* Sign-in to the Schedule Builder at http://europe.msteched.com/topic/list/ * Details of prize draw rules can be obtained from the Information Desk.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.