Claims-Based AuthenticationSharePoint 2010

11/15/2011

Jonathan Schultz (@SharePointValue)Skyline Technologies, Inc.

About Skyline Technologies• Leading Microsoft solutions provider

– Develops and tailors IT applications to meet the business and technical objectives of customers

– Serves clients in the manufacturing and retail to healthcare, transportation, and logistics industries

• Microsoft Partner with Gold competencies in Business Intelligence, Content Management, Portals and Collaboration, and Web Development and Silver competencies in Data Platform, Project and Portfolio Management, Search, and Software Development.

• Provides a pathway to speed your company toward its vision. • Recognized by businesses nationwide as a team of smart, experienced

people and a Microsoft Gold Certified Partner organization specializing in adapting Microsoft solutions to individual client’s needs.

Agenda

• What are Claims?• Why would you use them?• Claims-Based Authentication

– Basic Architecture– Trusted Identity Providers– Advanced Concepts

• Claims Development Tasks• Reality of Claims Based Authentication• Reference Materials

What are Claims?

• Attributes about a User• Need to Come from Someone You Trust

• Driver’s License Example– Trusted Provider = State of Wisconsin– Claims

• Name = Jonathan Schultz• Age = 35• Organ Donor = No

Why Use Claims?

• Claim Augmentation– Security Groups from Active Directory– HRMS/CRM Attributes

• Title/Role

• Federation– Partner Network

• Business to Business

– Subsidiaries– Web 2.0 (Windows Live, Facebook, etc.)

• Advanced Authentication & Authorization

Basic Claims Scenario

Claims Based Architecture

Terminology

• Security Token Service (STS)– Identity Provider (IP-STS)– Relying Party (RP-STS)

• Security Assertion Markup Language (SAML)• Windows Identity Framework (formerly Geneva)• Trusted Login Provider

Under the Covers

Claims-to-Windows Token Service

Claims Based Architecture Notes

• New in SharePoint 2010• Authentication Prompt for Multiple Providers• All Intra/Inter Farm Calls are Claims Based

– i.e. Service Applications• Claims-to-Windows Token Service Needed for

Some Service Applications, i.e. PerformancePoint Services

Claims Development Tasks

• Custom Login Pages– Extranet Scenarios– Branding– “Remember Me” Capability– Home Realm Discovery

• Custom Claim Providers– Claims Augmentation– Claims Picking / Resolution

• Trusted Login Providers– WIF SDK

Reality of Claims Based Authentication

• Claims Authorization uses OR logic, not AND– Scenario: Authorize US HR User

• Location Claim = US• Department Claim = HR• Will also succeed for US IT because of US OR HR

• Trusted Identity Providers– Cookie Driven (Watch out for domains/paths)– Time Based Expiration (Server Times)

• Claims + Kerberos + SSRS = Problem

Reference Materials

• Claims and Security Technical Articles for SharePoint 2010

• Implementing Claims-Based Authentication with SharePoint Server 2010 – White Paper

• A Guide to Claims-Based Identity and Access Control – Patterns & Practices

• Custom Claims-Based Security in SharePoint 2010

• Steve Peschka’s Blog: Share-n-dipity