claims based authentication in sharepoint 2010
TRANSCRIPT
![Page 1: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/1.jpg)
Claims-Based AuthenticationSharePoint 2010
11/15/2011
Jonathan Schultz (@SharePointValue)Skyline Technologies, Inc.
![Page 2: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/2.jpg)
About Skyline Technologies• Leading Microsoft solutions provider
– Develops and tailors IT applications to meet the business and technical objectives of customers
– Serves clients in the manufacturing and retail to healthcare, transportation, and logistics industries
• Microsoft Partner with Gold competencies in Business Intelligence, Content Management, Portals and Collaboration, and Web Development and Silver competencies in Data Platform, Project and Portfolio Management, Search, and Software Development.
• Provides a pathway to speed your company toward its vision. • Recognized by businesses nationwide as a team of smart, experienced
people and a Microsoft Gold Certified Partner organization specializing in adapting Microsoft solutions to individual client’s needs.
![Page 3: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/3.jpg)
Agenda
• What are Claims?• Why would you use them?• Claims-Based Authentication
– Basic Architecture– Trusted Identity Providers– Advanced Concepts
• Claims Development Tasks• Reality of Claims Based Authentication• Reference Materials
![Page 4: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/4.jpg)
What are Claims?
• Attributes about a User• Need to Come from Someone You Trust
• Driver’s License Example– Trusted Provider = State of Wisconsin– Claims
• Name = Jonathan Schultz• Age = 35• Organ Donor = No
![Page 5: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/5.jpg)
Why Use Claims?
• Claim Augmentation– Security Groups from Active Directory– HRMS/CRM Attributes
• Title/Role
• Federation– Partner Network
• Business to Business
– Subsidiaries– Web 2.0 (Windows Live, Facebook, etc.)
• Advanced Authentication & Authorization
![Page 6: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/6.jpg)
Basic Claims Scenario
![Page 7: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/7.jpg)
Claims Based Architecture
![Page 8: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/8.jpg)
Terminology
• Security Token Service (STS)– Identity Provider (IP-STS)– Relying Party (RP-STS)
• Security Assertion Markup Language (SAML)• Windows Identity Framework (formerly Geneva)• Trusted Login Provider
![Page 9: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/9.jpg)
Under the Covers
![Page 10: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/10.jpg)
Claims-to-Windows Token Service
![Page 11: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/11.jpg)
Claims Based Architecture Notes
• New in SharePoint 2010• Authentication Prompt for Multiple Providers• All Intra/Inter Farm Calls are Claims Based
– i.e. Service Applications• Claims-to-Windows Token Service Needed for
Some Service Applications, i.e. PerformancePoint Services
![Page 12: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/12.jpg)
Claims Development Tasks
• Custom Login Pages– Extranet Scenarios– Branding– “Remember Me” Capability– Home Realm Discovery
• Custom Claim Providers– Claims Augmentation– Claims Picking / Resolution
• Trusted Login Providers– WIF SDK
![Page 13: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/13.jpg)
Reality of Claims Based Authentication
• Claims Authorization uses OR logic, not AND– Scenario: Authorize US HR User
• Location Claim = US• Department Claim = HR• Will also succeed for US IT because of US OR HR
• Trusted Identity Providers– Cookie Driven (Watch out for domains/paths)– Time Based Expiration (Server Times)
• Claims + Kerberos + SSRS = Problem
![Page 14: Claims Based Authentication in SharePoint 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062419/5575852fd8b42ae7708b458a/html5/thumbnails/14.jpg)
Reference Materials
• Claims and Security Technical Articles for SharePoint 2010
• Implementing Claims-Based Authentication with SharePoint Server 2010 – White Paper
• A Guide to Claims-Based Identity and Access Control – Patterns & Practices
• Custom Claims-Based Security in SharePoint 2010
• Steve Peschka’s Blog: Share-n-dipity