Do you claim to be from the
        Azure sky?
        Liam Cleary
About Me
• Solution Architect @ SusQtech (Winchester, VA)
• SharePoint MVP since 2007
• Working with SharePoint since 2002
• Worked on all kinds of projects
   • Internet
   • Intranet
   • Extranet
• Anything SharePoint Really
• Involved in Architecture, Deployment, Customization and
  Development of SharePoint
You can teach a student a lesson for
a day; but if you can teach him / her
to learn by creating curiosity, they
will continue the learning process
as long as they live.
Clay P. Bedford
I am hoping for a different kind of Curiosity today 
Security with SharePoint
• Isn't this an oxymoron? Just kidding!!
Agenda
• SharePoint Authentication
    • What is available?
•   What is claims authentication?
•   SharePoint and Claims?
•   Identity Providers
•   Azure Control Service
    • Google, Windows Live ID, Yahoo, Facebook
    • Custom IDP
• What to choose?
SharePoint Authentication
SharePoint Authentication
• Multiple Types of Authentication Support
  • Windows
     •   NTLM
     •   Kerberos
     •   Basic
     •   Anonymous
     •   Digest
  • Forms-based Authentication
     • Lightweight Directory Access Protocol (LDAP)
     • Microsoft SQL Server
     • ASP.NET Membership and Role Providers
  • SAML Token-based Authentication
     • Active Directory Federate Services
     • 3rd Party Identity Providers
     • Lightweight Directory Access Protocol (LDAP)
Authentication – Claims
Why introduce Claims Authentication?
  • Wide Support
  • Standards Based
       • WS-Federation 1.1
       • WS-Trust 1.4
       • SAML Token 1.1 AuthN
  • Single Sign On
  • Federation
       • Already many providers
  •   Microsoft standard approach
  •   Fed up custom coding everything, every time
  •   Gets round (some) Office Integration problems
  •   Easy to configure with little effort
       • Multiple Web Config changes, Web Application Changes and then of
         course the actual configuration of your identity provider
Authentication – Claim Terminology
• Identity
  • Info about a Person or Object (AD, Google, Windows
    Live, Facebook etc.)
• Claim
  • Attributes of the Identity (User ID, Email, Age etc.)
• Token
  • Binary Representation of Identity
  • Set of Claims and the Signature
• Relying Party (aka RP)
  • Users Token
• Secure Token Service (STS)
  • Issuer of Tokens for Users
Authentication – Sign In Process


       Identity Provider                  SharePoint 2010
     Security Token Service                   aka RP
           aka IP-STS




1.     Resource Requested
2.     AuthN Request / Redirect
3.     AuthN Request
4.     Security Token
5.     Security Token Request
6.     Service Token
7.     Resource Request w/Service Token
8.     Resource Sent
Authentication – Identity Provider
•   No need for Membership and Role Provider
•   Single Sign Built in
•   Central Managed and Entry point for all Authentication
•   Utilizes Windows Identity Framework

How to build an Identity Provider
• Create new ASP.NET Security Token Web Service Web Site
• Configure Certificate Settings and Name in <AppSettings>
    • Check Issuer Name within Certificates MMC
• Create new Claims-aware ASP.NET Web Site (testing)
    • Add STS Reference to Claims-aware ASP.NET Web Site
    • Set Claims
• Test

• Real World will need code changes:
    • Connect to authentication system
    • Modify Claims
    • Authentication Logic
Azure Control Service
• Microsoft ADFS Type Cloud Based Service
  • Central Point for offloading Authentication
  • Supports SAML 1.1 / SAML 2.0
  • Support
     •   Facebook
     •   Google
     •   Windows Live ID
     •   Yahoo
     •   Custom IDP
     •   Open ID type authentication
• Support for 3rd Party Integration
• Claim Mapping through configuration
Sign-In Process with Azure ACS & SharePoint 2010

DEMO
Azure Control Service - ACS
Azure Control Service - SharePoint
DEMO
What to else to know?
• Given the choice
  • Microsoft ADFS
  • Custom Identity provider
  • Azure ACS
     • Multiple Providers
• Custom Claims Provider will be needed
• If Augmentation of claims is needed from LOB, Custom IDP
• All users will experience the “nothing” redirect
  • Redirect, Redirect and Redirect 
• SharePoint does not support SAML 2.0 Assertions
• For internal LOB for Auth to ACS – maybe overkill
  • Expose Internal LOB Auth to ACS through provider
Thanks to our sponsors!
Thank you & Questions
      Email: liamc@susqtech.com
      Work: http://www.susqtech.com
      Twitter: @helloitsliam
      Blog: http://blog.helloitsliam.com

More Related Content

PPTX
Stop Those Prying Eyes Getting To Your Data SPTechCon
PDF
SharePoint Saturday The Conference DC - How the client object model saved the...
PDF
SharePoint Saturday The Conference DC - How the bcs saved my marriage
PPTX
The SUG - Documents & Records Management, Really
PPTX
SharePoint Authentication And Authorization SPTechCon San Francisco
PDF
SharePoint Fest Denver - Documents and Records Management in SharePoint
PPTX
SharePoint Saturday Utah - The Art of the Possible Keynote
PPTX
Deep thoughts from the real world of azure
Stop Those Prying Eyes Getting To Your Data SPTechCon
SharePoint Saturday The Conference DC - How the client object model saved the...
SharePoint Saturday The Conference DC - How the bcs saved my marriage
The SUG - Documents & Records Management, Really
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Fest Denver - Documents and Records Management in SharePoint
SharePoint Saturday Utah - The Art of the Possible Keynote
Deep thoughts from the real world of azure

What's hot (20)

PDF
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
PPTX
External collaboration with Azure B2B
PPTX
External collaboration with Azure B2B
PPTX
Understanding SharePoint Apps, authentication and authorization infrastructur...
PPTX
The Power of Social Login
PDF
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
PPTX
WSO2Con USA 2017: Building a Secure Enterprise
PPTX
Portal and Intranets
PPTX
Rev Your Engines - SharePoint Performance Enhancements
PPTX
Building Secure Extranets with Claims-Based Authentication #SPEvo13
PPTX
SharePoint 2013 Search Operations
PPTX
Azure Saturday: External Collaboration With Azure AD B2B
PPTX
What‘s new in Office 365
PPTX
DevSum: Azure AD B2C Application security made easy
PPTX
PPTX
SharePoint and Office 365 Performance Best Practices
PPTX
Dear Azure: External collaboration with Azure AD B2B
PPTX
Identity Management in SharePoint 2013
PPTX
Securing SharePoint Apps with OAuth
PPTX
Windows Azure Active Directory
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
External collaboration with Azure B2B
External collaboration with Azure B2B
Understanding SharePoint Apps, authentication and authorization infrastructur...
The Power of Social Login
Unlock your Big Data with Analytics and BI on Office 365 - OFF103
WSO2Con USA 2017: Building a Secure Enterprise
Portal and Intranets
Rev Your Engines - SharePoint Performance Enhancements
Building Secure Extranets with Claims-Based Authentication #SPEvo13
SharePoint 2013 Search Operations
Azure Saturday: External Collaboration With Azure AD B2B
What‘s new in Office 365
DevSum: Azure AD B2C Application security made easy
SharePoint and Office 365 Performance Best Practices
Dear Azure: External collaboration with Azure AD B2B
Identity Management in SharePoint 2013
Securing SharePoint Apps with OAuth
Windows Azure Active Directory
Ad

Similar to SharePoint Saturday Utah - Do you claim to be from the Azure Sky? (20)

PDF
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
PPTX
SharePoint Saturday Austin - Share point authentication and authorization
PPTX
ESPC15 - Extending Authentication and Authorization
PPTX
Claim Based Authentication in SharePoint 2010 for Community Day 2011
PPTX
NIC 2014 Modern Authentication for the Cloud Era
PDF
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
PPTX
Extending Authentication and Authorization
PPTX
The Who, What, Why and How of Active Directory Federation Services (AD FS)
PPTX
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
PPTX
unit 1 Federated Identity Management_4.pptx
PDF
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
PPTX
Introduction to sitecore identity
PPTX
Using Windows Azure for Solving Identity Management Challenges
PPTX
Single SignOn with Federation using Claims
PDF
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
PDF
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
PDF
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
PPTX
Антон Бойко (Microsoft Azure MVP, Ukrainian Azure Community Founder) «Azure M...
PPTX
Who are you?
PPTX
Preparing for Office 365
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday Austin - Share point authentication and authorization
ESPC15 - Extending Authentication and Authorization
Claim Based Authentication in SharePoint 2010 for Community Day 2011
NIC 2014 Modern Authentication for the Cloud Era
Envision it SharePoint Extranet Webinar Series - Federation and SharePoint On...
Extending Authentication and Authorization
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
unit 1 Federated Identity Management_4.pptx
Envision it Webinar - Extranet Identity Management and Authentication for Sha...
Introduction to sitecore identity
Using Windows Azure for Solving Identity Management Challenges
Single SignOn with Federation using Claims
Envision it SharePoint Extranet Webinar Series - Federation and Office 365
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Антон Бойко (Microsoft Azure MVP, Ukrainian Azure Community Founder) «Azure M...
Who are you?
Preparing for Office 365
Ad

Recently uploaded (20)

PDF
Comparative analysis of machine learning models for fake news detection in so...
PDF
SaaS reusability assessment using machine learning techniques
PPTX
Training Program for knowledge in solar cell and solar industry
PDF
Auditboard EB SOX Playbook 2023 edition.
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
PDF
Early detection and classification of bone marrow changes in lumbar vertebrae...
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
PDF
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
PDF
Electrocardiogram sequences data analytics and classification using unsupervi...
PDF
Advancing precision in air quality forecasting through machine learning integ...
PPTX
Internet of Everything -Basic concepts details
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Comparative analysis of machine learning models for fake news detection in so...
SaaS reusability assessment using machine learning techniques
Training Program for knowledge in solar cell and solar industry
Auditboard EB SOX Playbook 2023 edition.
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Data Virtualization in Action: Scaling APIs and Apps with FME
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
Early detection and classification of bone marrow changes in lumbar vertebrae...
NewMind AI Weekly Chronicles – August ’25 Week IV
Rapid Prototyping: A lecture on prototyping techniques for interface design
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Connector Corner: Transform Unstructured Documents with Agentic Automation
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Electrocardiogram sequences data analytics and classification using unsupervi...
Advancing precision in air quality forecasting through machine learning integ...
Internet of Everything -Basic concepts details
Enhancing plagiarism detection using data pre-processing and machine learning...
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf

SharePoint Saturday Utah - Do you claim to be from the Azure Sky?

  • 1. Do you claim to be from the Azure sky? Liam Cleary
  • 2. About Me • Solution Architect @ SusQtech (Winchester, VA) • SharePoint MVP since 2007 • Working with SharePoint since 2002 • Worked on all kinds of projects • Internet • Intranet • Extranet • Anything SharePoint Really • Involved in Architecture, Deployment, Customization and Development of SharePoint
  • 3. You can teach a student a lesson for a day; but if you can teach him / her to learn by creating curiosity, they will continue the learning process as long as they live. Clay P. Bedford
  • 4. I am hoping for a different kind of Curiosity today 
  • 5. Security with SharePoint • Isn't this an oxymoron? Just kidding!!
  • 6. Agenda • SharePoint Authentication • What is available? • What is claims authentication? • SharePoint and Claims? • Identity Providers • Azure Control Service • Google, Windows Live ID, Yahoo, Facebook • Custom IDP • What to choose?
  • 8. SharePoint Authentication • Multiple Types of Authentication Support • Windows • NTLM • Kerberos • Basic • Anonymous • Digest • Forms-based Authentication • Lightweight Directory Access Protocol (LDAP) • Microsoft SQL Server • ASP.NET Membership and Role Providers • SAML Token-based Authentication • Active Directory Federate Services • 3rd Party Identity Providers • Lightweight Directory Access Protocol (LDAP)
  • 9. Authentication – Claims Why introduce Claims Authentication? • Wide Support • Standards Based • WS-Federation 1.1 • WS-Trust 1.4 • SAML Token 1.1 AuthN • Single Sign On • Federation • Already many providers • Microsoft standard approach • Fed up custom coding everything, every time • Gets round (some) Office Integration problems • Easy to configure with little effort • Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider
  • 10. Authentication – Claim Terminology • Identity • Info about a Person or Object (AD, Google, Windows Live, Facebook etc.) • Claim • Attributes of the Identity (User ID, Email, Age etc.) • Token • Binary Representation of Identity • Set of Claims and the Signature • Relying Party (aka RP) • Users Token • Secure Token Service (STS) • Issuer of Tokens for Users
  • 11. Authentication – Sign In Process Identity Provider SharePoint 2010 Security Token Service aka RP aka IP-STS 1. Resource Requested 2. AuthN Request / Redirect 3. AuthN Request 4. Security Token 5. Security Token Request 6. Service Token 7. Resource Request w/Service Token 8. Resource Sent
  • 12. Authentication – Identity Provider • No need for Membership and Role Provider • Single Sign Built in • Central Managed and Entry point for all Authentication • Utilizes Windows Identity Framework How to build an Identity Provider • Create new ASP.NET Security Token Web Service Web Site • Configure Certificate Settings and Name in <AppSettings> • Check Issuer Name within Certificates MMC • Create new Claims-aware ASP.NET Web Site (testing) • Add STS Reference to Claims-aware ASP.NET Web Site • Set Claims • Test • Real World will need code changes: • Connect to authentication system • Modify Claims • Authentication Logic
  • 13. Azure Control Service • Microsoft ADFS Type Cloud Based Service • Central Point for offloading Authentication • Supports SAML 1.1 / SAML 2.0 • Support • Facebook • Google • Windows Live ID • Yahoo • Custom IDP • Open ID type authentication • Support for 3rd Party Integration • Claim Mapping through configuration
  • 14. Sign-In Process with Azure ACS & SharePoint 2010 DEMO
  • 16. Azure Control Service - SharePoint
  • 17. DEMO
  • 18. What to else to know? • Given the choice • Microsoft ADFS • Custom Identity provider • Azure ACS • Multiple Providers • Custom Claims Provider will be needed • If Augmentation of claims is needed from LOB, Custom IDP • All users will experience the “nothing” redirect • Redirect, Redirect and Redirect  • SharePoint does not support SAML 2.0 Assertions • For internal LOB for Auth to ACS – maybe overkill • Expose Internal LOB Auth to ACS through provider
  • 19. Thanks to our sponsors!
  • 20. Thank you & Questions Email: [email protected] Work: http://www.susqtech.com Twitter: @helloitsliam Blog: http://blog.helloitsliam.com