How Microsoft SharePoint 2010 is built with Windows Identity Foundation

How Microsoft SharePoint 2010 is built with Windows Identity FoundationSesha ManiSenior Program ManagerMicrosoft Corporation

SVC26

Agenda

> SharePoint 2007 – identity challenges> Claims-based identity and Windows

Identity Foundation (WIF)> SharePoint 2010 – new identity

architecture – “Claims-based identity”> Map new architecture to customer’s

existing problems & future needs

SharePoint 2007 – Identity Challenges> 1. Authentication is intertwined within SharePoint

2007

> 2. Requires complex configuration for identity delegation

> 3. Access control only through attribute providers > Active Directory, Role Providers

> Are these challenges unique to SharePoint 2007?> These are identity challenges common to all

applications…

> What is the solution? What do we need to do?

And we did …

NEW path to identity in SP2010 …

CLAIMS-BASED IDENTITY …

SharePoint 2007 – Identity Flow

Authentication methods

SharePoint Web Application

Windows integrated

Membership & Role Providers

Web SSO

Access control

Roles protected

Anonymous access Windows Identity

SharePoint Service Applications

Content Database

Trusted sub-systems

Client

WIF WIF

Claims protected

WIF – SPSTS

Claims-aware

SP-STS

Auth

App logi

c

Windows Identity

SharePoint 2010 – Identity Flow

Services Application Framework

Windows ASP.Net (FBA)

Claims Based Identity

SAML Web SSO

Benefits of claims model for SharePoint 2010> Support existing identity infrastructure

> Active Directory> LDAP, SQL> WebSSO and Identity Management Systems

> Multiple authentication methods per SharePoint Web Application

> Enable automatic, secure identity delegation> Cross-machines & cross-farm

> Support “no-credential” connections to External web services

> Standards-based and Interoperable

Identity in SharePoint 2010 is built on WIF

> Fundamental shift in identity in SP2010

> Windows Identity Foundation (WIF)> Framework for building claims-aware applications

& STS > Standards-based and interoperable> Targets ASP.NET and WCF developers

> WS-Federation (Passive) ASP.NET> WS-Trust (Active) WCF

> Offers unified programming model

Three Themes

“Externalizing Authentication”

<Identity into SharePoint>



“Identity normalization”

<Identity inside/out of SharePoint>

Access control

“Support existing identity

infrastructure”

<Identity inside SharePoint>

SearchServices Application

Content Database

Client

Services Application FrameworkApp

logic

SP-STS

Auth

WIF WIFWIF – SPSTS

IClaimsPrincipal

IPrincipal


Theme-1: Externalizing Authentication




Access control


infrastructure”

Search Services Application

Content Database

Client


logic

SP-STS

Auth


IClaimsPrincipal

IPrincipal



App logi

c

SP-STS

Auth

WIF – SPSTS

“Externalizing Authentication” - Sign-In Methods> Sign-in methods supported in SP2010:

NT TokenWindows Identity

ASP.Net (FBA)SQL, LDAP, Custom …

SAML TokenClaims Based

Identity

SPUser

NT TokenWindows Identity

SAML1.1+ADFS, etc.

-Classic -Claims

SharePoint-STS

“Externalizing Authentication” – 1000 ft view

trust

SharePoint Web

ApplicationFrank Miller

1. Attempt access

Fabrikam EnterpriseFarm-AWindows claims

2. Redirect to STS for

auth

3. Post Token{SP-Token}

2.2 Augment claims

3.1 Extract Claims and construct IClaimsPrincipal

2.1 Authenticate user

Web Application

Windows Authentication

Module

Cookie Management

SharePoint-STS

“Externalizing Authentication” – 50 ft view > Scenario: Web application configured with Windows Claims

WS-Federation Authentication

Module

Session Authentication

Module

BrowserClient

WS-Federation

Passive Serializer

Security Token

Service

IIS ASP.NET

3

1

5

46

7

8. Cookie

2

Externalizing authentication in SharePoint 2010 using WIF

demo


Theme-2: Identity Normalization




Access control


infrastructure”


Content Database

Client


logic

SP-STS

Auth


IClaimsPrincipal

IPrincipal



Access control


WIF

SharePoint Services Scenarios

> Show user’s PayStub in LOB data without credentials (intranet)

> Show real-time order status from supplier inside the enterprise Portal (extranet or internet)

> Securely deploy SharePoint farm(s) for user identity delegation

> Access external services – Business Connectivity Services

Services in SharePoint 2010 – a primer

> SharePoint Services Application Framework is made claims-aware

> WIF enables services to have access to both user and service identities

WCF (Windows Communication Foundation)

WIF (Windows Identity Foundation)

.NET

SharePoint Services Application Framework (Claims/Services)

Excel Services

Search Services

Other Services

Project Services

Secure Store

Services

WSTrust Support

FARM-A

“Identity normalization” – Services in Single FarmWIF – Identity Delegation Feature

SharePoint-STS

Web PartSearch

Services Application

WS-Trust Proxy Client

1

WS-Trust Endpoint

s

2

Gate Keeper

trust 3

4

5

6

Fabrikam EnterpriseFarm-AWeb App to Service

T1 {User} T2 {User, Process}

T2

FARM-B

FARM-B

FARM-A

FARM-A

FARM-A

“Identity normalization” – Services in Cross-farmWIF – Identity Delegation Feature

SharePoint-STS

Web PartSearch

Services Application

WS-Trust Proxy Client

1

WS-Trust Endpoint

s

2

Gate Keeper

trust 3

4

5

6

Fabrikam EnterpriseFarm-A to Farm-BWeb App to Service

SharePoint-STS

WS-Trust Endpoint

s

trusttrust

Identity normalization in Services using Claims

demo


Theme-3: Non-claims aware services




Access control


infrastructure”


Content Database

Client


logic

SP-STS

Auth


IClaimsPrincipal

IPrincipal


infrastructure”

SharePointServices Application

Content Database

WIF

IPrincipal

“Non-claims-aware Services”WIF – Claims to Windows Token Service

> In reality, not all the services you interact with are going to be “claims-aware”

> SharePoint has diversified categories of services, SQL etc.,

> How would you interact with a Service that requires Windows identity?

> Solution is “Claims to Windows Token Service” (C2WTS)> UPN claim converted to Windows Token

Linking non-claim-aware services using “Claims to Windows Token Service”

demo

Three Themes - Recap


<Identity into SharePoint>




<Identity inside/out of SharePoint>

Access control


infrastructure”

<Identity inside SharePoint>


Content Database

Client


logic

SP-STS

Auth


IClaimsPrincipal

IPrincipal

Lessons Learned …

Migrating to claims-based model – where to startIt is not “ALL or Nothing” dealClaims-enable in phases: authentication, authorization, services

Lessons Learned – contd.

> Performance > Performance Milestone drove changes in WIF> Optimizations made to achieve the perf goal:

> Number of claims> Number of service calls per page> Number of round trips to SP-STS per service request> Caching (ChannelFactory and tokens)

Lessons Learned – contd.> Edge cases & assumptions

> Cookie size limitation> Existing code had many assumptions about

identity, each had to be uncovered and mapped

> Clients integration> Consider client types to be supported

> SP 2010 had Browser, Active, Designer tool clients> Both passive and active end points implemented

on SharePoint STS

Summary

> SharePoint 2010 achieves NEW path to identity using WIF’s claims-based identity model

> Key takeaways> Single model - claims-based identity model> Standards based & Interoperable

> We have stepped up to the challenge

> Not only SharePoint, your applications too can benefit from WIF’s claims-based identity model , Get onboard!

> Identity sessions> PR11: Leveraging & Extending SharePoint Identity Features> SVC02: Windows Identity Foundation Overview> SVC10: Software + Services Identity Roadmap> SVC17: Enabling SSO to Windows Azure Applications> SVC19: REST Security Services in Windows Azure using the Access

Control Service> SVC28: System.Identity Model Accessing Directory Services

> Come visit us at the booth in the pavilion!

> Try a hands on lab> Introduction to Windows Identity Foundation> Using WIF to Secure Windows Azure Applications

Other Identity Sessions @ PDC2009

YOUR FEEDBACK IS IMPORTANT TO US!

Please fill out session evaluation

forms online atMicrosoftPDC.com

Learn More On Channel 9

> Expand your PDC experience through Channel 9

> Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses

channel9.msdn.com/learnBuilt by Developers for Developers….

http://channel9.msdn.com/learn

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How Microsoft SharePoint 2010 is built with Windows Identity Foundation

Documents

Transcript of How Microsoft SharePoint 2010 is built with Windows Identity Foundation