1 / 36

How Microsoft SharePoint 2010 is built with Windows Identity Foundation

SVC26. How Microsoft SharePoint 2010 is built with Windows Identity Foundation. Sesha Mani Senior Program Manager Microsoft Corporation. Agenda. SharePoint 2007 – identity challenges Claims-based identity and Windows Identity Foundation (WIF)

euclid
Download Presentation

How Microsoft SharePoint 2010 is built with Windows Identity Foundation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SVC26 How Microsoft SharePoint 2010 is built with Windows Identity Foundation Sesha Mani Senior Program Manager Microsoft Corporation

  2. Agenda • SharePoint 2007– identity challenges • Claims-based identity and Windows Identity Foundation (WIF) • SharePoint 2010 – new identity architecture – “Claims-based identity” • Map new architecture to customer’s existing problems & future needs

  3. SharePoint 2007 – Identity Challenges • 1.Authentication is intertwined within SharePoint 2007 • 2. Requires complex configuration for identity delegation • 3. Access control only through attribute providers • Active Directory, Role Providers • Are these challenges unique to SharePoint 2007? • These are identity challenges common to all applications… • What is the solution? What do we need to do?

  4. And we did … NEW path to identity in SP2010 …

  5. CLAIMS-BASED IDENTITY …

  6. SharePoint 2010 – Identity Flow SharePoint 2007 – Identity Flow SAML Web SSO ASP.Net (FBA) Windows Windows integrated Roles protected Anonymous access Membership & Role Providers Windows Identity Claims-aware Claims protected Claims Based Identity Trusted sub-systems WebSSO WIF WIF WIF – SPSTS SP-STS Authentication methods Access control Services Application Framework Auth App logic SharePoint Service Applications SharePoint Web Application Content Database Client Windows Identity

  7. Benefits of claims model for SharePoint 2010 • Support existing identity infrastructure • Active Directory • LDAP, SQL • WebSSO and Identity Management Systems • Multiple authentication methods per SharePoint Web Application • Enable automatic, secure identity delegation • Cross-machines & cross-farm • Support “no-credential” connections to External web services • Standards-based and Interoperable

  8. Identity in SharePoint 2010 is built on WIF • Fundamental shift in identity in SP2010 • Windows Identity Foundation (WIF) • Framework for building claims-aware applications & STS • Standards-based and interoperable • Targets ASP.NET and WCF developers • WS-Federation (Passive)  ASP.NET • WS-Trust (Active)  WCF • Offers unified programming model

  9. Three Themes “Externalizing Authentication” <Identity into SharePoint> “Support existing identity infrastructure” <Identity inside SharePoint> “Identity normalization” <Identity inside/out of SharePoint> Auth IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF – SPSTS Access control Authentication methods Services Application Framework App logic SharePoint Web Application Search Services Application Content Database Client

  10. Theme-1: Externalizing Authentication “Externalizing Authentication” “Support existing identity infrastructure” “Identity normalization” “Externalizing Authentication” Auth IPrincipal SP-STS IClaimsPrincipal Auth SP-STS WIF WIF WIF – SPSTS WIF – SPSTS Access control Authentication methods Services Application Framework App logic App logic SharePoint Web Application Search Services Application Content Database Client SharePoint Web Application

  11. “Externalizing Authentication” - Sign-In Methods • Sign-in methods supported in SP2010: -Classic -Claims NT TokenWindows Identity NT TokenWindows Identity SAML1.1+ADFS, etc. ASP.Net (FBA)SQL, LDAP, Custom … SAML Token Claims Based Identity SPUser

  12. “Externalizing Authentication” – 1000 ft view Fabrikam Enterprise Farm-A Windows claims SharePoint-STS • 2.2 Augment claims • 2.1 Authenticate user • 2. Redirect • to STS for auth 3. Post Token {SP-Token} trust Frank Miller SharePoint Web Application 3.1 Extract Claims and construct IClaimsPrincipal 1. Attempt access

  13. “Externalizing Authentication” – 50 ft view • Scenario: Web application configured with Windows Claims SharePoint-STS Web Application Security Token Service Session Authentication Module Cookie Management 5 6 2 4 WS-Federation Passive Serializer Windows Authentication Module WS-Federation Authentication Module 3 1 7 IIS ASP.NET Browser Client 8. Cookie

  14. Externalizing authentication in SharePoint 2010 using WIF demo

  15. Theme-2: Identity Normalization “Externalizing Authentication” “Support existing identity infrastructure” “Identity normalization” “Identity normalization” Auth IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF WIF – SPSTS Access control Access control Authentication methods Services Application Framework App logic SharePoint Web Application SharePoint Web Application Search Services Application Search Services Application Content Database Client

  16. SharePoint Services Scenarios • Show user’s PayStub in LOB data without credentials (intranet) • Show real-time order status from supplier inside the enterprise Portal (extranet or internet) • Securely deploy SharePoint farm(s) for user identity delegation • Access external services – Business Connectivity Services

  17. Services in SharePoint 2010 – a primer Excel Services Project Services Search Services Secure Store Services Other Services • SharePoint Services Application Framework is made claims-aware • WIF enables services to have access to both user and service identities SharePoint Services Application Framework (Claims/Services) WIF (Windows Identity Foundation) WSTrust Support WCF (Windows Communication Foundation) .NET

  18. “Identity normalization” – Services in Single Farm WIF – Identity Delegation Feature FARM-A Fabrikam Enterprise Farm-A Web App to Service SharePoint-STS WS-Trust Endpoints trust 3 2 T1 {User} T2 {User, Process} Search Services Application Web Part 5 WS-Trust Proxy Client Gate Keeper 6 T2 4 1

  19. “Identity normalization” – Services in Cross-farm WIF – Identity Delegation Feature FARM-A FARM-A FARM-A FARM-B FARM-B Fabrikam Enterprise Farm-A to Farm-B Web App to Service SharePoint-STS SharePoint-STS WS-Trust Endpoints WS-Trust Endpoints trust trust trust 3 2 Search Services Application Web Part 5 WS-Trust Proxy Client Gate Keeper 6 4 1

  20. Identity normalization in Services using Claims demo

  21. Theme-3: Non-claims aware services “Externalizing Authentication” “Support existing identity infrastructure” “Support existing identity infrastructure” “Identity normalization” Auth IPrincipal IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF – SPSTS WIF Access control Authentication methods Services Application Framework App logic SharePoint Services Application SharePoint Web Application Search Services Application Content Database Content Database Client

  22. “Non-claims-aware Services”WIF – Claims to Windows Token Service • In reality, not all the services you interact with are going to be “claims-aware” • SharePoint has diversified categories of services, SQL etc., • How would you interact with a Service that requires Windows identity? • Solution is “Claims to Windows Token Service” (C2WTS) • UPN claim converted to Windows Token

  23. Linking non-claim-aware services using “Claims to Windows Token Service” demo

  24. Three Themes - Recap “Externalizing Authentication” <Identity into SharePoint> “Support existing identity infrastructure” <Identity inside SharePoint> “Identity normalization” <Identity inside/out of SharePoint> Auth IPrincipal SP-STS IClaimsPrincipal WIF WIF WIF – SPSTS Access control Authentication methods Services Application Framework App logic SharePoint Web Application Search Services Application Content Database Client

  25. Lessons Learned …

  26. Migrating to claims-based model – where to start • It is not “ALL or Nothing” deal • Claims-enable in phases: authentication, authorization, services

  27. Lessons Learned – contd. • Performance • Performance Milestone drove changes in WIF • Optimizations made to achieve the perf goal: • Number of claims • Number of service calls per page • Number of round trips to SP-STS per service request • Caching (ChannelFactory and tokens)

  28. Lessons Learned – contd. • Edge cases & assumptions • Cookie size limitation • Existing code had many assumptions about identity, each had to be uncovered and mapped • Clients integration • Consider client types to be supported • SP 2010 had Browser, Active, Designer tool clients • Both passive and active end points implemented on SharePoint STS

  29. Summary • SharePoint 2010 achieves NEW path to identity using WIF’s claims-based identity model • Key takeaways • Single model - claims-based identity model • Standards based & Interoperable • We have stepped up to the challenge • Not only SharePoint, your applications too can benefit from WIF’s claims-based identity model , Get onboard!

  30. Other Identity Sessions @ PDC2009 • Identity sessions • PR11: Leveraging & Extending SharePoint Identity Features • SVC02: Windows Identity Foundation Overview • SVC10: Software + Services Identity Roadmap • SVC17: Enabling SSO to Windows Azure Applications • SVC19: REST Security Services in Windows Azure using the Access Control Service • SVC28: System.Identity Model Accessing Directory Services • Come visit us at the booth in the pavilion! • Try a hands on lab • Introduction to Windows Identity Foundation • Using WIF to Secure Windows Azure Applications

  31. YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com

  32. Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….

More Related