Nauzad Kapadia Identity and Identity Providers Digital Persona Composed of attributesidentifiers Examples Active Directory Database Directory Services Can be proved by providing Claims Attribute ID: 175927
Download Presentation The PPT/PDF document "Using Claims based authentication with S..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Using Claims based authentication with SharePoint
Nauzad KapadiaSlide2
Identity and Identity Providers
Digital Persona
Composed of attributes/identifiers
Examples:Active Directory, Database, Directory ServicesCan be proved by providing Claims
Attribute
Value
Display
Name
Chris Gideon
Email Address
Cgideon@contoso.com
User Name
Contoso
\
cgideon
Title
Senior
PFESlide3
What is a Claim?
Information
about an identity…
Example: AirportTicket counterVerification
Boarding Pass Issued
Security Check point
Boarding
Issuer: Department of Public Safety
Issuer: Air Line
Full Name
Name
Number
Frequent flyer number
Address
Flight number
Citizenship
Seating priority
Date of birth
Gate
Date of issue
Seat number
Date of expiration
Date of issue
Sex
bar code and/or the magnetic strip
PictureSlide4
Issuers and Security Tokens
Issues security tokens
Collection of claims
FormatsSAMLSigningSlide5
Security Token Service (STS)
Web Service that issues claims and packages security tokens.
Supports multiple credential types
IP-STS and RP-STS.An IP-STS is an STS that issues tokens that can be used to request service tokens from RP-STSs. An RP-STS can also consume other types of tokens (or credentials), for example an NT token that comes from the domain controller or the (KDC)
STSs
can be
chainedSlide6
Relying Party
An
application that relies on
claimsclaims-based application. Relying Party Security Token Service (RP-STS)Slide7
Example - The Airport
Airline
Department of Public Safety
Gate Agent
Trust
Need Drivers License
Drivers License
Drivers License
Boarding Pass
Boarding Pass
Birth RecordsSlide8
SharePoint as a Claims-based application
SharePoint STS is always relying party STS Built
on Windows Identity Foundation (WIF)
Multiple authentication typesIdentity Provider neutralConfigured via Central Admin or PowerShell
Delegation
of user identity between applications. Slide9
SharePoint Claims Overview
SharePoint STS
IP-STS
Web App
Trust
Authenticate
Issue token
Send token
Issue token
Send token
Send CookieSlide10
Browser-based sign-in
Browser
Issuer
Active Directory
Get /
302
AuthN
SAML Token
Post
Process Token
Cookie
Cookie
Process Claims
302Slide11
Identity Normalization
NT Token
Windows Identity
ASP.Net
(FBA)
SAL, LDAP, Custom …
SAML Token
Claims Based Identity
SPUser
NT Token
Windows Identity
SAML
ADFS, Ping, etc.
-Classic
-ClaimsSlide12
Claims Providers
Retrieve and expose claims
For augmentation
Insert claims into the Security TokenFor setting permissionsgive access to “all PMs with blue eyes” Deployed via WSPSlide13
Forms Based Authentication
Exposed through
Claims Mode
Implemented as a Claims ProviderUpgradeInplace – ACLS updated, web.config notDBAttach – ACLs updated, no need to update config
Provider Neutral
e.g. SQL, LDAP etcSlide14
What changed in FBA
FBA users are exposed through Claims
Claims identity is created instead of generic identity
STS talks to membership provider to validate user and issues a claims tokenValidateUser() must be implemented by membership providersRoles are converted to claimsMixed mode environmentsSlide15