Loading in 2 Seconds...
Loading in 2 Seconds...
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
SIM319 Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0 Samuel Devasahayam Lead Program Manager Identity & Access, Microsoft
Microsoft Claims-Based Access Model • Security Token Service • (AD FS 2.0) • Directory • (AD DS) Configure: Establish Relationship / Trust (Signing key) Configure: Claims Rules (Federation Metadata) 2. AuthN (Creds) 3. Get claims End User Claims Framework (WIF) 1. Get policy 4. AuthN (Claims) App Business Logic 5. Grant/deny access • Resource Provider • Claims-aware application
AD FS 2.0 Scenarios Single sign-on (SSO) for internal use SSO to outsourced services or the cloud • Providing Outsourced services Provide Active Directory Users Access to Claims-Aware Applications and Services Provide Active Directory Users Access to Applications and Services of Other Organizations Provide Users in Another Organization Access to Claims-Aware Applications and Services
SharePoint 2007 – Identity Flow SharePoint 2010 – Identity Flow SAML Web SSO Forms Windows Windows integrated Roles protected Anonymous access Membership & Role Providers Windows Identity Claims-aware Claims protected Claims-Based Identity Trusted sub-systems WebSSO WIF WIF WIF – SPSTS SP-STS Authentication methods Access control Services Application Framework Auth App logic SharePoint Service Applications SharePoint Web Application Content Database Client Windows Identity
Why AD FS 2.0 with SharePoint 2010? Web SSO to multiple Applications • Provide seamless login to multiple applications • Source claims from any arbitrary store in your organization Federate with Partner Orgs • Enable access to partner organizations • Connect to organizations via SAML-Protocol Provide Access to Consumer IDs • Enable access to consumer IDs (Live, Google, Yahoo, Facebook) Flexible Authorization with Claims • Use Centralized Roles and Claims to provide access • Use Claims Transformations in AD FS 2.0 to transform data to cater to your application needs
Configuration AD https://sts.contoso.com Request Webpage 1 Unauthorized! Get a token from CONTOSO CONTOSO.COM 2 4 3 Authenticate 3 5 Kobe Token for SPDOCS 2 4 Kevin Send Token and get access 5 1 https://docs.contoso.com SharePoint 2010 CONTOSO
Identity Normalization Classic Claims SAML 1.1 + WS-Fed Claims Identity Anonymous User ASP.Net (FBA)SAL, LDAP, Custom … NT TokenWindows Identity NT TokenWindows Identity SAML Token Claims Based Identity SPUser
AD FS 2.0 Rule Configuration CP Rules RP Rules AD Authority Pass Through Group Info Get Email from AD SPDOCS Pass Through Email Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ https://docs.contoso.com CONTOSO – AD FS 2.0 CONTOSO
Key Learning • Abstract authorization via Claims/Roles for easier management • Simplify setup with AD FS Federation Metadata • AD FS 2.0 Rule Learning • Send AD attributes as claims • Convert Security Groups to Role Claims
Configuration AD AD 8 Token for SP2010 7 https://sts.fabrikam.com Send token to CONTSO from FABRIKAM! 4 Sorry, but you need a Token from FABRIKAM https://sts.contoso.com 6 3 Get Token for CONTOSO Hey, I’m from FABRIKAM! 5 Authenticate to FABRIKAM 9 Present Token and gain access 2 Unauthorized! Give me a token Lebron Ray 1 Request Website https://docs.contoso.com SharePoint 2010 CONTOSO FABRIKAM
AD FS 2.0 Rule Configuration CP Rules RP Rules AD Authority Pass Through Group Info Get Email from AD Pass Through Email Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ FABRIKAM Pass Through Email only with suffix ‘@fabrikam.com’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ FABRIKAM Transform ‘Department’ = ‘Heat’ to ‘B2BPartnerLevel’ = ‘Level1’ Issue Email Claim Transform ‘B2BPartnerLevel’=‘Level1’ to ‘Role’=‘spdocs_readers’ Issue Department Claim https://docs.contoso.com Transform ‘Department’ = ‘Celtics’ to ‘B2BPartnerLevel’ = ‘Level2’ Transform ‘B2BPartnerLevel’=‘Level2’ to ‘Role’=‘spdocs_contributors’ CONTOSO – AD FS 2.0
Key Learning • Setup partner trust to extend SharePoint to partner organizations • AD FS 2.0 Rule Learning • Normalize organizational access levels via Claims Provider Trust Rules • Create new Claim Descriptions to aid managing your rules • Convert Fabrikam ‘Department’ claim to Contoso ‘B2BPartnerLevel’ claim
Configuration AD AD FABRIKAM Identity Trust 8 7 https://sts.fabrikam.com Token for SP2010 4 Token to CONTSO from my ACS https://sts.contoso.com 3 You need Token from my ACS I have a Consumer ID! 9 Identity Trust CONTOSO ACS Present Token and gain access 2 https://contosd.accesscontrol.windows.net Unauthorized! Give me a token CONTOSO STS 1 https://docs.contoso.com Get Token for CONTOSO Request Website 6 SharePoint 2010 CONTOSO Charles 5 Kenny Authenticate to FABRIKAM
AD FS 2.0 Rule Configuration CP Rules RP Rules AD Authority Pass Through Group Info Get Email from AD Pass Through Email Transform ‘SG’=‘spreaders’ to ‘Role’=‘spdocs_readers’ FABRIKAM Pass Through Email only with suffix ‘@fabrikam.com’ Transform ‘SG’=‘spcontributors’ to ‘Role’=‘spdocs_contributors’ FABRIKAM Transform ‘Department’ = ‘Heat’ to ‘B2BPartnerLevel’ = ‘Level1’ Issue Email Claim Transform ‘B2BPartnerLevel’=‘Level1’ to ‘Role’=‘spdocs_readers’ Issue Department Claim https://docs.contoso.com Transform ‘Department’ = ‘Celtics’ to ‘B2BPartnerLevel’ = ‘Level2’ Transform ‘B2BPartnerLevel’=‘Level2’ to ‘Role’=‘spdocs_contributors’ Get roles based on LocalNameIdentifier CONTOSO – AD FS 2.0 ACS ACS Pass Through IssuerID Issue IssuerID Pass Through IssuerNameID Issue IssuerNameID Get & Issue LocalNameIdentifier SQL Issue Email Get & Issue Email Address from LocalNameIdentifier Issue Name
Key Learning • Evaluate consumer identities based on the sensitivity level of resources that you would like to provide access to • Register consumer identities to enable flexible control of provisioning and access • Always use the IssuerID && IssuerNameIdentifier claims from ACS as a primary key for the consumer identity • Convert to a local Identifier in your realm for flexibility to switch local Identifier to a different consumer identity (Hey, I moved from Google ID to Facebook) • AD FS 2.0 Rule Learning • Source claims from different attribute stores like SQL
Summary • AD FS 2.0 connects your SharePoint 2010 to • Your Active Directory users • Partner Organizations • Consumer Identities • Provide central authorization using claims sourced from AD FS 2.0 (and from any attribute store) • Harness the power of claims to transform data as needed by your applications
Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC. Track Resources • Active Directory • WSV401: Tricks-of-the-Trade after More Than a Decade of Microsoft Active Directory (5/17 @ 5:00pm, C305) • SIM376-INT: Meet the Active Directory (Identity & Access) Product Group • AD FS 2.0 • SIM402: Active Directory Federation Services, Part1: How do they really work? (5/18 @ 3:15pm, B406) • SIM403: Active Directory Federation Services, Par2: Building Federated Identity Solutions (5/18 @ 5pm, B406) • Cloud & Identity • SIM324: Using Windows Azure Access Control Service 2.0 with Your Cloud Application (5/17 @ 8:30am, C302) • SIM358: Preparing Identities for Cloud Services with Microsoft Forefront Identity Manager (5/17 @ 10:15am, C201) • SIM323: User Identity and Authentication for Desktop and Phone Applications (5/19 @ 2:45pm, C206) • O365 • OSP215: Microsoft Office 365: Identity and Access Solutions (5/17 @ 3:15pm, B314) • SIM320: Using Active Directory with Microsoft Office 365 (5/19 @ 4:30pm, B402) • Hands-On Labs • COS277-HOL: Web Services and Identity in Windows Azure • SIM399-HOL Managing Claims AuthN using FIM 2010 • MID274-HOL | Introduction to the Windows Azure AppFabric Access Control Service V2
Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Related Content • AD FS 2.0 Portal • AD FS 2.0 Content Map • Claims Based Identity Blog
SharePoint 2010 Setup Scripts Scripts
Configure SharePoint • ‘settings.xml’ file contains all the settings • Powershell Script (sharepointConfig.ps1) • Extracts trust information (certificate, URL’s) from AD FS 2.0 FederationMetadata document • Sets up Web Application • Sets up New SharePoint Team Site from template (‘STS#0’)
Generate SharePoint Metadata • ‘settings.xml’ file contains all the settings • PowerShell Script ‘generateSharePointMetadata.ps1’ • Creates FederationMetadatadocument that can be imported into AD FS 2.0
Configure User Permissions • ‘userPermissionSettings.xml’ contains all the user data that needs to be provisioned • PowerShell Script ‘giveUserPermission.ps1’ • Provides user access using Email Address as the identifier for users • Provides ability to use ‘department’ claim for authorization as well
Track Resources Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.