4. About Me
• Solution Architect @ SusQtech (Winchester, VA)
• SharePoint MVP since 2007
• Working with SharePoint since 2002
• Worked on all kinds of projects
• Internet
• Intranet
• Extranet
• Anything SharePoint Really
• Involved in Architecture, Deployment, Customization and
Development of SharePoint
5. You can teach a student a lesson for
a day; but if you can teach him / her
to learn by creating curiosity, they
will continue the learning process
as long as they live.
Clay P. Bedford
6. I am hoping for a different kind of Curiosity today
7. Agenda
• Security in General
• Security with SharePoint
• Authentication
• Authorization
• Authentication vs. Authorization
• Claims Authentication / Authorization
• Real world approach
8. Security in General
Dictionary Definition:
• Freedom from danger, risk, etc.; safety.
• Freedom from care, anxiety, or doubt; well-founded
confidence.
• Something that secures or makes safe; protection; defense.
• Freedom from financial cares or from want: The insurance
policy gave the family security.
• Precautions taken to guard against
crime, attack, sabotage,
espionage
11. Security with SharePoint
How does security come into play with SharePoint?
• Same questions as the previous security
• How, Who, When and often Why
• Content specific security
• Role based as well is individual security
• Collaboration security
• Cross Team
• Cross Organizational
• Cross Company
• Specific permission sets for types of access and functionality
12. Authentication – What is?
Dictionary Definition:
• To establish as genuine.
• To establish the authorship or origin of conclusively or
unquestionably, chiefly by the techniques of scholarship: to
authenticate a painting.
• To make authoritative or valid.
13. Authentication – Types of?
• Windows
• NTLM
• Kerberos
• Basic
• Anonymous
• Digest
• Forms-based Authentication
• Lightweight Directory Access Protocol (LDAP)
• Microsoft SQL Server
• ASP.NET Membership and Role Providers
• SAML Token-based Authentication
• Active Directory Federated Services
• 3rd Party Identity Provider
• Lightweight Directory Access Protocol (LDAP)
14. Authorization – What is?
Dictionary Definition:
• The act of authorizing.
• Permission or power granted by an authority; sanction.
• To give authority or official power to;
• To give authority for; formally sanction (an act or proceeding):
• To establish by authority or usage:
15. Authentication vs. Authorization
• Misunderstood Terminology
• Users, IT and Developers
• Authentication = Verification of Claim (I am Liam)
• Authorization = Verification of Permission (Liam has access to)
• Authentication Precedes Authorization
• Correct ID shown to Bank Teller
• You are Asking to be Authenticated on the Account
• Once accepted you become Authorized on the Account
• Exception to the rule
• Anonymous Access can leave comments on Blog site
• Anonymous users are already Authorized but not Authenticated
• Too often we focus on Authentication and not Authorization
• We expect our users, clients etc. to just inherently know what they
are to do
• We often forget that Authentication can be broken, but Authorization
is slightly more complicated
17. Authentication – Claims
Why introduce Claims Authentication?
• Wide Support
• Standards Based
• WS-Federation 1.1
• WS-Trust 1.4
• SAML Token 1.1 AuthN
• Single Sign On
• Federation
• Already many providers, Live, Google, Facebook etc
• Microsoft standard approach
• Fed up custom coding everything, every time
• Gets round (some) Office Integration problems
• Easy to configure with little effort
• Multiple Web Config changes, Web Application Changes and then of
course the actual configuration of your identity provider
18. Authentication – Claim Terminology
• Identity
• Info about a Person or Object (AD, Google, Windows Live,
Facebook etc.)
• Claim
• Attributes of the Identity (User ID, Email, Age etc.)
• Token
• Binary Representation of Identity
• Set of Claims and the Signature
• Relying Party (aka RP)
• Users Token
• Secure Token Service (STS)
• Issuer of Tokens for Users
19. Authentication – Sign In Process
Identity Provider SharePoint 2010
Security Token Service aka RP
aka IP-STS
1. Resource Requested
2. AuthN Request / Redirect
3. AuthN Request
4. Security Token
5. Security Token Request
6. Service Token
7. Resource Request w/Service Token
8. Resource Sent
21. Authentication – Identity Provider
• No need for Membership and Role Provider
• Single Sign Built in
• Central Managed and Entry point for all Authentication
• Utilizes Windows Identity Framework
How to build an Identity Provider
• Create new ASP.NET Security Token Web Service Web Site
• Configure Certificate Settings and Name in <AppSettings>
• Check Issuer Name within Certificates MMC
• Create new Claims-aware ASP.NET Web Site (testing)
• Add STS Reference to Claims-aware ASP.NET Web Site
• Set Claims
• Test
• Real World will need code changes:
• Connect to authentication system
• Modify Claims
• Authentication Logic
23. Authentication – Identity Provider
• Deployment into separate Web Site
• https://sts.company.com
• Use SSL for all communication
• Ensure SharePoint 2010 trusts the certificate being used by
the Provider
• Methods of override:
• Authenticate User
• GetClaimTypeForRole
• GetOutputClaimsIdentity
• Create User Class – methods to get values from backend into
claims
• Create Claim Types class
• Create custom login methods and validation
24. Security – Real World
• Expect the unexpected
• People will find a way to circumvent your security
• Give users minimal permission
• Starting with Less is good
• Add functionality through permission as needed
• Be prepared to secure at all levels
• Web Application
• Site Collection
• Site
• List or Library
• Item
• Use roles from Provider
• Active Directory Groups
• Membership and Role Provider Roles
• Claims
26. Authentication – Real World
Requirements
• Multiple Web Sites
• 100s of 1000s of Users
• No Active Directory
• Custom Association Management System for Subscribed Users
• Single User Profiles
• Single Entry for Profile Update etc.
• External Authentication for SSO
• Token based Authentication Service for Vendors if needed
• Cross Web Application Authentication (internal SSO)
• Use Identity Normalization