1 / 45

Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication

Required Slide. SESSION CODE: OSP306. Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication . Paul Schaeflein, MCT Manager of Advanced Technologies LaSalle Consulting Partners, Inc. Agenda. Claims-Based Identity Claims-Based Authorization Claims Provider

emily
Download Presentation

Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Required Slide SESSION CODE: OSP306 Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication Paul Schaeflein, MCT Manager of Advanced Technologies LaSalle Consulting Partners, Inc.

  2. Agenda • Claims-Based Identity • Claims-Based Authorization • Claims Provider • Anonymous Access • Trusted Identity Providers

  3. Claims-Based Identity

  4. Claims-Based Identity primerIntroduction • What is Identity? A set of attributes to describe a user. • What is a Claim? Information such as name, e-mail, age, group membership, etc.

  5. Claims-Based Identity primerIntroduction • What is Authentication (AuthN)? The process of verifying a user’s identity. • What is Authorization (AuthZ)? Determines which sites, content, and other features the user can access.

  6. Claims-Based Identity primerUser Identity is a set of claims • Why do we say “claim” and not “attribute?” • Facebook & the Dept. of State have the age attribute • Facebook can claim 29 yrs, while State claims 46 yrs. • In order to make authorization decisions with age, your app needs to decide which “claim” you will trust. • Trust depends on scenario not on technical capability

  7. Claims is more than Federation • Federation between organizations was the original driver • Over time, claims turned out to be useful for more than just Federation • Real Benefit: Cleanly factoring out the Identity Provider from the application is invaluable • SharePoint is Identity Provider neutral • Multi-auth web applications

  8. Identity Normalization Anonymous User NT TokenWindows Identity SAML TokenLiveID, ADFS, Others ASP.Net (FBA)SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

  9. Multi-auth Web Applications

  10. Claims-Based Identity Claims Viewer Web Part Multi-Auth web application DEMO

  11. Claims Viewer Web Part

  12. Claims Viewer Web Part IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims;

  13. Claims-Based Authorization

  14. Claims-Based Authorization • Available to securable objects thru People-Picker • Access Claims via IClaimsIdentity interface • Claims property contains all claims • Conditionally Display information • based on presence of claim • based on value of claim

  15. People Picker

  16. Claims-Based Authorization Select claim in People Picker Conditional information display DEMO

  17. Conditional Information Display

  18. Conditional Information Display IClaimsPrincipalclaimsPrincipal = Page.UserasIClaimsPrincipal; IClaimsIdentityclaimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; stringpmClaim = (from c inclaimsIdentity.Claims wherec.ClaimType == CLAIM_TYPE selectc.Value).FirstOrDefault(); boolauthorized = bool.Parse(pmClaim);

  19. Custom Claims Provider

  20. Custom SharePoint Claims Provider • Two roles • Claims Augmentation • Claims Picker • !! Not authentication !! (Use WIF classes for AuthN) • Usage Scenarios • List, Resolve and Search • AllUsers claim • Adding Claims to original token (claims augmentation) • Identity not from original token (map to internal identity)

  21. Claims ProviderClaims Augmentation • Enables an application to augment additional claims into the user’s token • Implemented as a Claims Provider class • FillClaimsForEntity called by framework • Microsoft.SharePoint.Administration.Claims.SPClaimProvider • Register in Feature Event Receiver • Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver • MSDN Article by Steve Peschka: http://msdn.microsoft.com/en-us/library/ff699494.aspx

  22. Claims ProviderClaims Picker • Provides Listing, Resolve, Search and Friendly display of claims in the People Picker • Implemented as a Claims Provider class • FillHierarchy, FillResolve, FillSearch called by framework • Microsoft.SharePoint.Administration.Claims.SPClaimProvider • Register in Feature Event Receiver • Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver • Claim Type and Values must match!

  23. Custom Claims Provider Augment claims based on database values Resolve Claims in People Picker DEMO

  24. FillClaimForEntity() method • Parameters • Context (URI) • Current user (userid claim) • Empty list to contain new claims • Called once per session • Token is passed as cookie once issued

  25. CreateClaim() Parameters • claimTypeType: StringThe type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. • value Type: StringThe value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt.  • valueType Type: StringThe type of value in the claim. These are all URIs that refer to a string.

  26. ClaimValueTypes (selected)

  27. Anonymous Access

  28. Claims in Anonymous scenario • No Claims!

  29. Establishing Anonymous Access • Web Application • Manage web application • Authentication Providers • Edit Zone • Allow Anonymous $wa = get-spwebapplication http://cba.sharepointdevelopers.net $zone = [Microsoft.SharePoint.Administration.SPUrlZone]::Custom $i = $wa.IisSettings[$zone] $i.AllowAnonymous = $true $wa.Update() $wa.ProvisionGlobally()

  30. Establishing Anonymous Access • Site (SPWeb) • Site Actions -> Site Permission • Anonymous Access • Nothing [AnonymousState.Disabled] • Entire site [AnonymousState.On] • Lists and Libraries [AnonymousState.Enabled] $w = Get-SPWeb http://www.sharepointdevelopers.net/blogs $w.AnonymousState = [Microsoft.SharePoint.SPWeb+AnonymousState]::On $w.Update()

  31. Establishing Anonymous Access • List • List Settings • Anonymous Access $w = get-spweb http://www.sharepointdevelopers.net/blogs/paul $l = $w.Lists["Comments"] $l.AnonymousPermMask64 = {BasePermissions as appropriate}

  32. Trusted Identity Providers

  33. Trusted Identity Providers • Active Directory Federation Services (ADFS) • Previously known as “Geneva server” • Windows Live ID • Open ID

  34. ADFS 2.0 • Separate Download • http://www.microsoft.com/adfs2 • Identity across organizational boundaries • Attribute stores • Active Directory • Others

  35. Windows Live ID • Extract X509 Cert from metadata • Set Return URL to _trust/default.aspx • Watch TechNet for further information

  36. Open ID • Must be “Translated” into SAML Claims • WIF code • Pioneering work • MatiasWoloski • http://blogs.southworks.net/mwoloski/2009/07/14/openid-ws-fed-protocol-transition-sts/ • Travis Nielsen • https://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=34 • Many OpenID Providers • http://openid.net/get-an-openid/

  37. Trusted Identity Providers Demo

  38. Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Track Resources • For More Information – http://sharepoint.microsoft.com • SharePoint Developer Center – http://msdn.microsoft.com/sharepoint • SharePoint Tech Center – http://technet.microsoft.com/sharepoint • Official SharePoint Team Blog – http://blogs.msdn.com/sharepoint

  39. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • Breakout Sessions – See Conference Guide for full list of OSP Track Sessions • Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT • Hands-on Labs – OSP01-HOL – OSP20-HOL • Product Demo Stations – Yellow Section, OSP • Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks and demos

  40. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  41. Required Slide Complete an evaluation on CommNet and enter to win!

  42. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  43. Play the Microsoft Office & SharePoint Track Tag Contest Download the Microsoft Tag Reader Open the internet browser on your mobile phone and visit http://gettag.mobi Grand Prize (1) Xbox 360 Prize Package and Microsoft® Office 2010 Daily Prizes 40 copies of Microsoft® Office 2010 Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags from all OSP Track Sessions, Speakers and Expo Hall!

  44. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  45. Required Slide

More Related