How Claims is Changing the Way We Authenticate and Authorize in SharePoint

Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP

How Claims is Changing the Way We Authenticate and Authorize in SharePoint

Email: [email protected] Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2

© 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.

About Protiviti

INDIA (3)

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

• 2,500+ professionals

• 1,000+ clients

• 70+ offices

• Over 20 countries in the Americas, Europe and Asia-Pacific

Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011.


• Introduction to the Concept of Claims – Types of Claims Retrieved – How do I know which ones?

• Authentication vs Authorization – Claims Based Authentication – Using Claims for Authorization – Permissions – People Picker

• Architecture and Trusted Identity Providers – Enabling Claims Based Authorization with Trusted Identity Providers – Customizing Claims Authentication Process – Augmenting Claims with Custom Claim Providers

• Common Customer Needs and Scenarios

Agenda


• User attributes

• Metadata about a user

• AD attributes/LDAP attributes

What is a Claim?

What’s Missing?


Trust!


What is a Claim?

Claims are trusted assertions I make about myself

– Identity attributes retrieved from a trusted identity provider

– Digitally signed so that I can verify the identity provider

– Packaged and signed in a standards-based way (ex. SAML)

(SAML = Security Assertion Markup Language)

Allow me to take my identity across network boundaries in a trusted and secure way!


• Name Antonio Maio

• Email [email protected]

• Company, Department Protiviti, SharePoint Practice

• Security Clearance Secret (Canada)

• Military Rank <none>

• Employment Status FTE

• Over 18 Years Old Yes

• Valid Driver’s License Yes

• Country of Birth Canada

• Citizenship Canadian, Italian

• Residence Dallas, Texas, USA

Consider, why do you trust them?

Claims About Me

mailto:[email protected]


Authentication The process of determining that someone is who they say they are

• Typically done today through username/password

SharePoint 2013 – Claims Based Authentication is the default Auth’n method

• New Web Applications are Claims Enabled

• Classic Mode authentication has been deprecated - Only thru PowerShell

How do Claims all us to go beyond classic authentication? Single Sign-On across systems in different domains

Federate between SharePoint On Premise and O365

Verify additional info about a user during the authentication process

Required for new SharePoint 2013 features like Server-server Auth, App Authentication


Configuring Claims Based Authentication • Central Admin > Manage Web

Applications > New Web Application • By default claims enabled

• SSL is required for most scenarios • Trusted identity providers

• Server to Server Authentication

• App Authentication

• Select your Authentication Protocol • Windows Auth: NTLM or Kerberos

• Forms Based

• Trusted Identity Provider (SAML)

or some combination…


Configuring Claims Based Authentication PowerShell • Ensure you have the correct permissions

(securityadmin and dbowner on DB, part of administrators group on server)

• Sample: $ap = New-SPAuthenticationProvider

New-SPWebApplication -Name "Contoso Internet Site" -Port 443 -HostHeader sharepoint.contoso.com -URL "https://www.contoso.com" -ApplicationPool "ContosoAppPool" -ApplicationPoolAccount (Get-SPManagedAccount "DOMAIN\jdoe") -AuthenticationProvider $ap -SecureSocketsLayer

New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> -ApplicationPoolAccount <ApplicationPoolAccount> -URL <URL> -Port <Port> -AuthenticationProvider $ap Where:

<Name> is the name of the new web application that uses claims-based authentication. <ApplicationPool> is the name of the application pool. <ApplicationPoolAccount> is the user account that this application pool will run as. <URL> is the public URL for this web application. <Port> is the port on which the web application will be created in IIS.


Types of Claims Retrieved • Standard Claims

– Only claims retrieved when using NTLM/Kerberos

– Only claims supported through Office 365/SharePoint Online

• Custom Claims

– Trusted Identity Provider required: ADFS, Ping Federate, Thinktecture, etc.

Name identifier

Primary SID

Primary Group

SID

UPN

User Logon Name

User ID

Name

Identity

Provider

Name Issuer

Is

Authenticated

Farm ID

Role

Group SID


How do I know which claims were retrieved?

• Use the SharePoint Claims Web Part developed by Steve Peschka

Download and Configuration instructions available here: http://www.trustsharepoint.com/2013/04/how-do-i-know-which-claims-were.html

http://www.trustsharepoint.com/2013/04/how-do-i-know-which-claims-were.html















Authorization Determining what resources users are permitted to access and what actions they’re permitted to perform

• Typically through permissions in SharePoint

• How do claims allow us to go beyond simple Permissions?

Be specific to the user

Be done without knowing who the user is

Be dynamic – ex. changes in a user’s security clearance are reflected

Include environmental attributes (current time, GEO location, connection type, etc.)

Be an alternative to security groups – Groups do not scale

Example: user must be part of GroupA and GroupB and GroupC to access a resources


Simple Permission Examples Users and Groups

• Finance AD Group has Full Control on Library A

• ProjectXContractor SP Group has Read access on site B

• Antonio.Maio AD user has Contribute access on Document C

Principle

(user or group)

Permission Level

(collection of permissions)

Information Object

(item or container)


Permission Examples: Claims • Remember: Claims are trusted attributes about a user

• May assign a Claim as part of a permission to an object or container (just like a user or group)

• ‘SecurityClearance=Secret’ has Full Control access on Document X

• ‘ITARCleared=True’ has Read access on Library Y

• ‘EmploymentStatus=FTE’ has Contribute access on Site Z

Principle

(a claim in this case)

Permission Level

(collection of permissions)

Information Object

(item or container)


People Picker 1. Type the value of the claim in the Find

field (Top Secret in our example)

Note: people picker cannot resolve values. Typos will appear here as if they are valid values. It will display multiple valid selections for your value, one for each claim type available.

2. Next, you select the attribute type in the All Search Results list on the left side – in our case we select Clearance.

3. The list on the right side will then reduce the view to one selection for the attribute type selected. Select that attribute type in the right list now.

4. Click the Add button, and then click OK


People Picker and Assigning Permission • Once the claim is selected it

can be assigned as a permission with a permission level to some securable object


Enabling Claims Based Authorization

Planning Required Driven by a need to secure information at more granular level

Standard Claims Typically are Not Sufficient

Determining policies, claims, getting stakeholders to agree, etc.

Which trusted identity provider? Which attribute store?

Infrastructure Required Storing, managing, retrieving, transforming, trusting claims

Configuration Required Deploying Identity Provider, Connecting it to SharePoint, Configuring

Trust, Sign-in, Claims Rules


Enabling Claims Based Authorization

High Level Steps 1. Create the SharePoint 2013 Web Application

2. Install and Configure an STS Server (Secure Token Server)

• Ex. Deploy ADFS, Domain Joined Server (possibly a farm)

3. Configure STS with the SharePoint web application as a Relying Party

• Configuration within ADFS

4. Configure SharePoint 2013 to trust STS as an Identity Provider

• Import ADFS Token Signing Certificate into IIS on SharePoint

• Use PowerShell to configure ADFS as Trusted Provider

5. Configure SharePoint Web Application to use Claims Based Authentication and STS as the Trusted Identity Provider

• Within Central Admin


Relying Party (RP)

Trusted Identity Provider (IP)

SharePoint 2013

Client System Ex. web browser

Secure Token Server (STS) EX. Active Directory Federation Services

(ADFS)

Identity Store, Attribute Store,

(AD, Database or Directory)

3. Authenticate User, Get info (claims) about user

Token with

Claims

Format: SAML/WS-Fed

4. Authenticated user, attributes retrieved & STS creates token

1. Sign In Page

5. User is authenticated and SharePoint 2010 now has user’s claims & knows it can trust them

Claims Based Auth’n/Auth’r Architecture

2. Requests authentication (thru username/password) and a token

Browser Redirect


Relying Party (RP)


SharePoint 2013

Client System Ex. web browser


(ADFS)




Token with

Claims

Format: SAML/WS-Fed


1. Sign In Page

5. User is authenticated and SharePoint 2010 now has user’s claims & knows it can trust them

Customizing Claims Authentication Process

2. Requests authentication (thru username/password) and a token

Browser Redirect

Custom Claim Provider

Custom Claim Provider

…

Claim Rule

Claim Rule

…

SQL DB, LDAP, PKI

etc…

iAttributeStore …


• Select a Standards-based Identity Provider (SAML) – Active Directory Federation Services 2.0 or later

• Supports full SAML 1.1 and 2.0 Tokens and Protocol

• Supports WS-Federation Tokens and Protocol

• SharePoint 2010/2013 use SAML 1.1 tokens and SAML 2.0 protocol

• Must authenticate against Active Directory

– Ping Federate (Commercial)

– Thinktecture (Open Source)

Trusted Identity Providers



(ADFS)




Token with

Claims

Format: SAML/WS-Fed



Augmenting Claims - Custom Claim Providers

• Used to Augment User Claims and Customize People Picker

• SharePoint farm level feature

• Can deploy more than one

• Called after user is authenticated …and after Trusted Identity Provider has already returned claims

– Built on top of WIF (Windows Identity Framework)

– Used to augment claims or transform claims

– Used to customize the People Picker (ex. resolving claims through user search)


Custom Claim Provider Deployment • Deployed as a Farm Level Feature Receiver – requires more code

– Must inherit from SPClaimProviderFeatureReceiver (lots of examples)

• Can deploy multiple claim providers

– Called in order of deployment

• Once deployed - Available in every web app, in very zone

– Can cause performance issues

– When user logs in, all Custom Claim Providers deployed get called

• Set IsUsedByDefault property in Feature Receiver Def'n to False

• Turn it on manually for required web apps


Common Customer Needs • How do I secure access to sensitive information just to certain

people and only under certain conditions?

– (More) Fine Grained Access Control

– Sensitive content sitting beside non-sensitive content

• I have compliance requirements about who can access certain types of data and when

– How do I enforce that without stopping business?


What Types of Claims are Useful? • Military, Intelligence, Government Defense

– Security Clearance, Caveats, Communities of Interest

– Need to Know

• Commercial

– Department, Team or Role

– Current Date/Time, Current Device (BYOD)

– Group Membership with multiple groups

– Partner ID or Business ID (in partner extranet scenarios)

• Aerospace/Defense Contracting

– Nationality + Current Location

• Homeland Security

– Agency (law enforcement, emergency response, public health…)

– Scope or Level (local, state, federal), Current Threat Level


Intelligence Military Examples

Classification

Caveats

Need to Know

Security Clearance

Caveats

Groups

Has All

Has All

Has Minimum

Classification

Topics

Restrictions

Communities

Security Clearance

Topics

Restrictions

Communities

Has Minimum

Has Any

Not Have Any

Has All


Commercial Example

• Claim: Employee Status

• Document Metadata: Classification (HBI, MBI, LBI)

If employee.status = FTE and document.classification = HBI

Then permit access to document

If employee.status = Contract and document.classification = HBI

Then deny access to document


Government Example

• Claim: Client Case Numbers

• Document Metadata: Document Case Number

If document.case=X AND client.casenumbers includes X

Then permit access to document

If document.case=X AND client.casenumbers DOES NOT includes X

Then deny access to document


Summary

• Claims Based Authentication/Authorization still a new topic for many people

– Allows us to take our identities across network boundaries in a trusted and secure

– Enabling our move to the cloud – required for Identity Federation

• Claims Based Authentication is Default in SharePoint 2013 – Classic Mode is Deprecated (Still there in 2013 but will likely go away next

version)

• Claims are great tool for Enterprise-Grade Authentication and

Authorization – Infrastructure and Planning Required to take advantage of it – Leading SharePoint deployments in businesses, government and military to

more fine grained authorization


• 7th Annual Conference • 6 SharePoint MVPs presenting • Full-Day Training Workshops pre and post conference • Separate tracks for Business Users, Technical Users & UX Professionals • Government, Association, Nonprofit & Group Discounts Available

Get 15% off! Use: PRO15 when registering

Learn More & Register at SharePointConference.org

Dallas, TX October 20, 2014

Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP

Thank You!

Email: [email protected] Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2

How Claims is Changing the Way We Authenticate and Authorize in SharePoint

Software

Transcript of How Claims is Changing the Way We Authenticate and Authorize in SharePoint