SPSBE 2013 Claims for devs
-
Upload
steven-van-de-craen -
Category
Technology
-
view
286 -
download
0
description
Transcript of SPSBE 2013 Claims for devs
![Page 1: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/1.jpg)
Claims for devs#spsbe
Steven Van de Craen
![Page 2: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/2.jpg)
Thanks to ourSponsors
Platinum
Gold
Silver
![Page 3: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/3.jpg)
About me
Steven Van de Craen
Ventigrate
SharePoint
enthousiast
Since 2005
![Page 4: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/4.jpg)
Overview • AuthN – AuthZ
• Tokens and Claims
• What about SharePoint
• Passive sign-in
• Cookies and expiration
• Encoding
• #demos
• Wrap-up
• Resources
![Page 5: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/5.jpg)
AuthN - AuthZ
• What is Authentication?Process of determining whether someone is who he declares to be I am @vandest1
• What is Authorization?Process of determining whether someone has the permission to do something I have Read permissions on this site
VS
![Page 6: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/6.jpg)
Tokens and Claims
• What is a Claim?Information such as name, e-mail, age, group membership, etc.
• What is Identity?Set of attributes to describe a user
• Security TokenUser Identity as a set of claims
![Page 7: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/7.jpg)
What about SharePoint
• Classic or Claims
• Three authentication options Windows – NTLM/Kerberos/Basic transformed into a Windows token
Forms Based Authentication – Membership and Role Provider, typical extranet with SQL or LDAP as underlying store
Trusted Identity – Outsource authentication to an Identity Provider (WLID, ADFS, custom)
• C2WTSConverts classic and claims users to a Windows token for systems that aren’t claims aware
![Page 8: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/8.jpg)
Passivesign-in
An Identity Provider (IdP) is an authority that makes claims about an entity
An identity provider implements a Security Token Service (STS), which issues tokens
The Relying Party (your application) needs to decide which “claim” it trustsFacebook: “Steven is 18 years old”
Social Services: “Steven is 29 years old”
SAML 1.1 required http://msdn.microsoft.com/en-us/magazine/ff872350.aspx
![Page 9: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/9.jpg)
Cookies and expiration
• Persistent vs Session
• Single Sign On for Office clients, WebDAV
• Configurable on the SharePoint STS
• SharePoint 2013 Distributed CacheStores the security token issued by a Secure Token Service. Any web server can access the
security token from the cache, authenticate the user and provide access to the resources
requested.
![Page 10: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/10.jpg)
Encoding • ClassicWindows: DOMAIN\username
FBA: myprovider:username
• ClaimsWindows: i:0#.w|domain\username
FBA: i:0#.f|myprovider:username
• Microsoft.SharePoint.Administration.Claims
SPClaim
SPClaimProviderManager .DecodeClaim/.EncodeClaim
![Page 11: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/11.jpg)
http://www.wictorwilen.se/Post/How-Claims-encoding-works-in-SharePoint-2010.aspx
![Page 12: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/12.jpg)
#demos • Create a custom login pageMultiple authentication: automatic redirect
Simple audit logging
Update SPUser display name and email
• Create a custom Security Token Service
Provide centralized authentication for many Relying Parties
Single sign on across Relying Parties
Can have pluggable authentication model with multiple providers
• Create a custom claim providerAugment – Provide additional claims for the identity
Resolution – Allow name resolution for People Picker
Use claims for normalization or authorization (claims based security)
![Page 13: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/13.jpg)
Multiple authentication
Use claims for securing content
Single sign on across RPs and apps
Decouple authentication from SharePoint
Recommended authentication model for SharePoint
Wrap-up
![Page 14: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/14.jpg)
Resources Implementing Claims-Based Authentication with SharePoint Server 2010 – http://bit.ly/ozwB17
Claims authentication against Windows Live ID for SharePoint 2010 – http://bit.ly/aXKMCp
Converting EPiServer 6 to use claims-based authentication with WIF – http://bit.ly/c71Ipl
Ventigrate Codeplex: External User Management – http://bit.ly/JMtpc4 Claims Walkthrough: Writing Claims Providers for SharePoint 2010 – http
://bit.ly/aNPypt The Identity Guy – http://bit.ly/qYhItd How Claims encoding works in SharePoint 2010 – http://bit.ly/yqpwR7 How to Get All User Claims at Claims Augmentation Time in SharePoint
2010 – http://bit.ly/gX3V3p Custom Security Token Service (WIF 4.5) – http://bit.ly/14fGzb5 How to make use of a custom IP-STS with SharePoint 2010 – http://
bit.ly/Y7OnJB
![Page 15: SPSBE 2013 Claims for devs](https://reader036.fdocuments.in/reader036/viewer/2022062405/5558768cd8b42a8d018b531f/html5/thumbnails/15.jpg)
THANK YOU
Steven Van de CraenEMAIL: [email protected]: http://www.sharepointblogs.be/blogs/vandestTWITTER: @vandest1