SharePoint, ADFS and Claims Auth
Download as PPTX, PDF1 like2,663 views
This document discusses configuring identity federation between SharePoint and Active Directory Federation Services (ADFS) using claims-based authentication. It provides an overview of key concepts like claims, security tokens, relying parties, and security token services. It then describes how to install and configure ADFS, set up SharePoint as a relying party, and configure claims mappings between the two systems to enable single sign-on using ADFS credentials. Additional topics covered include using Azure Access Control Service for additional identity providers and updating SharePoint when ADFS certificates are renewed.
SharePoint, ADFS and Claims Auth
- 1. SharePoint, ADFS, ACS and Claims-based Authentication Kashif Imran [email protected]
- 2. Agenda • Claims-based Identity Model’s Key Concepts • Install and Configure ADFS for SharePoint 2013 • Configure Azure ACS and SharePoint for SSO using Google etc. • Use ADFS as IP-STS via Azure ACS as RP-STS • Claims Viewer • Custom Claims Provider
- 3. Claims with SharePoint is sort of like a bird, it’s pretty cute until it shits on your head.
- 4. I drink beer to celebrate major events, the fall of communism, or the fact that our SharePoint and ADFS is still working.
- 5. Identity in Traditional Applications • Application • Identity Management • Account creation • Password creation • Password change • Password reset • … • 2 Step Verification • Attribute Store
- 6. Identity in Real World • Buy wine/beer example • Externalize authentication to DMV • Driving license • document that is relatively hard to produce/forge • Has additional information about user (age) • International Travel • Passport • Boarding Card
- 7. Claims-based Identity Model • Way for applications to acquire the identity information about internal or external users • Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority” • Applications do not need to authenticate users, store user accounts or passwords, etc. • Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just for federation • Claim • Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc. • Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up in some directory • Assert user has logged in • Claims are NOT what a user can or can not do, they are what a user is or is not • Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer • Issuer, Type, Value => (Google, Email, [email protected]) • Security Token • Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in) • Successful outcome of sign in • SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)
- 8. Relying Party and STS • Relying Party (RP) • An application that relies on claims • Claims aware application • Claims-based application • Security Token Service • Service component that builds, signs and issues security tokens • Implicit authN (no token, no party) • WS-Trust, WS-Fed, SAML • IP-STS: • authenticates a client and creates SAML token • Façade for one or more identity stores • RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS) • Transforms token issues by another STS • Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts • Façade for one boundary • Federation Patterns • Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies. • Active: Code to acquire tokens explicitly
- 9. Windows Identity Foundation (WIF) • .NET library encapsulating the inner workings of WS-Federation and WS-Trust • System.IdentityModel • System.IdentityModel.Services • IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name) • IClaimsPrincipal = IPrincipal + Identities • IClaimsIdentity = IIdentity + Claims • Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype
- 10. ADFS V2: Active Directory Federation Services • STS • WS*(WS-Trust, WS-SecurityPolicy, WS-Federation, SAML) • Claims provider • Federation service for identity across domains • Consumers: SharePoint, Azure ACS, WCF, Others • Federation Metadata: • How do RP know its from STS • What claims • Where is STS • SAML Claims
- 11. SharePoint Authentication • Windows (Classic) Authentication: NTLM, Kerberos(Multi hop) • Claims Based AuthN • Claims or Classic in the end you are SPUser • C2WTS(Claims to windows token service)
- 14. The Hub Model
- 15. Windows VS Trusted Identity Authentication
- 17. Claims Viewer IClaimsPrincipal principal = Page.User as IClaimsPrincipal; IClaimsIdentity identity = principal.Identity as IClaimsIdentity; gv.DataSource = identity.Claims; gv.DataBind();
- 19. SharePoint Claims Encoding • <IdentityClaim> indicates the type of claim and is the following: • “i” for an identity claim • “c” for any other claim • <ClaimType> indicates the format for the claim value and is the following: • “#” for a user logon name • “.” for an anonymous user • “5” for an email address • “!” for an identity provider • “+” for a Group security identifier (SID) • “-“ for a role • “%” for a farm ID • “?” for a name identifier • "" for a private personal identifier (PPID) • <ClaimValueType> indicates the type of formatting for the claim value and is the following: • “.” for a string • “+” for an RFC 822-formatted name • <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following: • “w” for Windows claims (no original issuer) • “s” for the local SharePoint security token service (STS) (no original issuer) • “t” for a trusted issuer • “m” for a membership issuer • “r” for a role provider issuer • “f” for forms-based authentication • “c” for a claim provider • <OriginalIssuer> indicates the original issuer of the claim. • <ClaimValueType> indicates the value of the claim in the <ClaimType> format. • http://msdn.microsoft.com/en-us/library/gg481769.aspx#claimswalkthrough5_AppendixA
- 20. SharePoint Claims Encoding Type of claim Encoded claim Claim encoding breakdown Windows User i:0#.w|contosokashif •“i” for an identity claim •“#” for the user logon name format for the claim value •“.” for a string •“w” for Windows claims •“contosokashif” for the identity claim value (the Windows account name) Windows Authenticated Users group c:0!.s|windows •“c” for a claim other than identity •“!” for an identity provider •“.” for a string •“s” for the local SharePoint STS •“windows” for the Windows Authenticated Users group SAML authentication (Trusted User) i:05.t|adfs|[email protected] •“i” for an identity claim •“5” for the email address format for the claim value •“.” for a string •“t” for a trusted issuer •“adfs” identifies the original issuer of the identity claim •“[email protected]” for the identity claim value Forms-based authentication i:0#.f|mymembershipprovider|kashif •“i” for an identity claim •“#”for the user logon name format for the claim value •“.” for string •“f” for forms-based authentication •“mymembershipprovider” identifies the original issuer of the identity claim •“kashif” for the user logon name
- 21. Claims Resolution and Augmentation • Inherit a class from Microsoft.SharePoint.Administration.Claims.SPClaimsProvider • Register using • Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiver • Implement • FillClaimsForEntity • FillClaimTypes • FillClaimValueTypes • Register Claims Provider • $trusted = Get-SPTrustedIdentityTokenIssuer -Identity “Kashif" • $trusted.ClaimProviderName = “KashifClaimsStore" • $trusted.Update()
- 22. ADFS Deployment • Single server configuration • ADFS 2.0 server farm and load-balancer • ADFS 2.0 Proxy server(s) for offsite users
- 23. Install and Configure ADFS V2 • Install Windows Server 2008 R2 • Create service account (ssp_adfs) and set SPN • Install ADFS server, don't configure it • Generate SSL Certificates • Token Signing, Token Encryption, Site • Disable AutoCertificate Rollover • Add-PsSnapin Microsoft.Adfs.Powershell • Set-ADFSProperties -AutoCertificateRollover $false • Set Primary Certificates • Give ADFS account permission on private key of certificates • Add Trusted Relying Party • Map Claims • Email-Addresses => Email Address • Token-Groups - Unqualified Names => Role • SAM-Account-Name => Windows account name • User-Principal-Name => UPN • Test Sign On using IdpInitiatedSignOn
- 24. SharePoint Configuration for ADFS • Export and copy public key of token signing certificate from ADFS • Generate SSL and AAM for SharePoint web app $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:adfsss.cer”) $map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" - SameAsIncoming $map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "WindowsAccountName" -SameAsIncoming $map4 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming $realm = "urn:sharepoint:www" $signinurl = "https://sso.kashif.com/adfs/ls/" $ap = New-SPTrustedIdentityTokenIssuer -Name "Kashif" -Description "Kashif STS" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 - SignInUrl $signinurl -IdentifierClaim $map3.InputClaimType New-SPTrustedRootAuthority “Kashif Trusted Root Authority” -Certificate $cert $ap.Update() • My Sites or other web apps $uri = new-object System.Uri("https://my.kashif.com") $ap.ProviderRealms.Add($uri, "urn:sharepoint:my")
- 25. SharePoint Trusted Identity Token Issuer A SharePoint trusted identity token issuer binds together the details of the identity provider and the mapping rules to associate them with a specific SharePoint web application.
- 26. Update SharePoint for new ADFS Certificates $cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:adf supdatesss1.cer") Set-SPTrustedRootAuthority -Identity "Kashif Trusted Root Authority P1" -Certificate $cert Set-SPTrustedIdentityTokenIssuer "Kashif" -ImportTrustCertificate $cert
- 27. Azure Access Control Service • Build using Claims-based identity principles • Support WIF and ADFS V2
- 28. Questions ???