Claims based identity in sharepoint 2010
Download
1 / 36

Claims based Identity in SharePoint 2010 - PowerPoint PPT Presentation


  • 128 Views
  • Updated On :

PR11. Claims based Identity in SharePoint 2010. Venky Veeraraghavan (@ venkyv ) Program Manager Microsoft Corporation. @ SPIdentity on Twitter. Handle for the Identity team in SharePoint Follow us to get updates from us Mention us to get our attention .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Claims based Identity in SharePoint 2010' - fathi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Claims based identity in sharepoint 2010 l.jpg

PR11

Claims based Identity in SharePoint 2010

VenkyVeeraraghavan (@venkyv)

Program Manager

Microsoft Corporation


@ spidentity on twitter l.jpg
@SPIdentity on Twitter

  • Handle for the Identity team in SharePoint

  • Follow us to get updates from us

  • Mention us to get our attention 


Seamless identity flow in through and out of sharepoint l.jpg
Seamless Identity FlowIn, Through and Out of SharePoint

  • Use customer Identity Providers

  • Automatic & secure identity delegation

  • Authorization over application specific roles

  • “No-credential” access to web services

  • Standards based

SharePoint

Content

Hop 3

Enterprise

Web Services

Hop 1

Hop 2

Web 2.0

Services

Client

Web Server

App Server



Sign in scenarios l.jpg
Sign-in Scenarios

  • Sign-in to SharePoint with both Windows and LDAP directory Identity

  • Easily configure Intranet and Extranet users for Collaboration

  • Integrate with other customer identity systems (eg. ADFS, etc.)

  • Use Office Applications with non-Windows Authentication


Identity normalization l.jpg
Identity Normalization

-Classic

-Claims

NT TokenWindows Identity

NT TokenWindows Identity

SAML1.1+ADFS, etc.

ASP.Net (FBA)SAL, LDAP, Custom …

SAML Token

Claims Based Identity

SPUser



Asp net membership role providers l.jpg
ASP.Net Membership/Role Providers

  • Convert ASP.Net identity to Claims Identity

    • SP-STS calls Membership Provider to validate user and issues a claims token

    • ValidateUser() must be implemented by membership providers

    • Roles from Role Provider are additional claims

  • Mixed mode environments

    • All principals are available in all zones



Services scenarios l.jpg
Services Scenarios

  • Show user’s PayStub in LOB data without credentials (intranet)

  • Show real-time order status from supplier inside the enterprise Portal (extranet)

  • Show information from Web2.0 sites (internet)

  • Securely deploy SharePoint farm(s) for user identity delegation


Identity architecture for services l.jpg
Identity Architecture for Services

Web Front End

Windows Identity

or

Claims Identity

Sign-In

Web part, etc.

SharePoint STS

1

Windows Identity

Framework

2

Client Proxy

{Token}

3

OAuth

4

Claims Token

SAML

App Server

{Claims Principal}

SharePoint STS

Windows Identity Framework

5

SP Service Authorization

Kerberos C/D

SharePoint Service

Claims2Win*

Credentials

Legacy

LOB

6

Secure Store Service

7


Lob d ata access saml token l.jpg

LOB Data Access: SAML token

demo


What you saw l.jpg
What you saw

Steps:

Model uses PassThrough

Users identity passed through to BCS Runtime

WCF Connector requests SAML token from STS STSreturns SAML Token

WCF Connector passes Token to External data source

SharePoint Server

SharePoint STS or External STS

External List

Token

BCS

Runtime

Web Parts

Logged-on

user

WCF Connector

Custom App

RST

Identity

SAML Token

Claims Aware

Service


Identity and web2 0 services l.jpg
Identity and Web2.0 Services

  • Web2.0 authentication pattern

    • ‘user consent required for external application (website) to access user’s data’

  • Some Examples

    • OAuth

    • Windows Live ID

    • Yahoo! BBAuth

    • Google Account Auth API (AuthSub) etc.


Web 2 0 services oauth token l.jpg

Web 2.0 services: OAuth token

demo


What you saw initial user request l.jpg
What you saw: Initial User request

SharePoint

(e.g. Web part)

Auth Handler Page

Secure Store

BDC

Resource Provider

(e.g. Netflix)

NetFlix Authorization Service


What you saw subsequent user requests l.jpg
What you saw: Subsequent User requests

SharePoint

(e.g. Web part)

Auth Handler Page

Secure Store

BDC

Resource Provider

(e.g. Netflix)

NetFlix Authorization Service


Standards used l.jpg
Standards Used

  • WS-Federation 1.1

    • Provides the architecture for a clean separation between trust mechanisms, security tokens formats and the protocols for obtaining tokens

  • WS-Trust 1.4

    • How to request and receive security tokens

  • SAML Token 1.1

    • XML vocabulary used to represent claims in an interoperable way


Key takeaways l.jpg
Key Takeaways

  • Structural change for SharePoint

    • Move to Claims based Identity

    • Support 2007 Authentication

  • Address today’s and tomorrow’s challenges

    • Identity Provider neutral

    • Enterprise as well as Web 2.0 services

  • Built on Standards for interoperability


Slide21 l.jpg

YOUR FEEDBACK IS IMPORTANT TO US!

Please fill out session evaluation forms online at

MicrosoftPDC.com


Learn more on channel 9 l.jpg
Learn More On Channel 9

  • Expand your PDC experience through Channel 9

  • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses

    channel9.msdn.com/learn

Built by Developers for Developers….



How does it work l.jpg
How Does it Work?

Provider

(Live Contacts)

User’s Browser

Consumer app accessing user’s data from the Provider (BDC)

2. User Consent

(Redirect user to

login page, if not

signed in)

1. Direct user to resource provider

3. Re-direct back to

consumer app

with token

  • Extract consent token

5. Access protected

resource

Service

6. Return requested

Data (if token is valid)


Bcs authentication support matrix l.jpg
BCS Authentication Support Matrix

n/a

x

x

In code

In code

In code

In code

In code


Office application support l.jpg
Office Application support

  • Office Client applications support non-Windows Integrated Authentication

  • Office 2010 on

    • Windows XP + IE8

    • Windows Vista SP2 or IE8

    • Windows 7

  • Office 2007 SP2 on

    • Windows XP + IE8

    • Windows Vista SP2 or IE8

    • Windows 7