Post on 17-May-2015
description
transcript
SharePoint 2010,Claims-Based Identity, Facebook, and the Cloud
Danny JesseeSharePoint Saturday Boston – April 28, 2012
Thanks to our sponsors!
Who am I?
Senior consultant – SharePoint development Based in the Washington, DC metro area 8 years SharePoint development experience
MCPD: SharePoint Developer 2010 MCTS: SharePoint 2010 Configuration
Email: djessee@gmail.com Twitter: @dannyjessee Blog: http://dannyjessee.com/blog
Agenda
Authentication vs. Authorization Claims Authentication in SharePoint
2010 Integrating Facebook from scratch
New SharePoint 2010 web application Adding an Azure AppFabric ACS Trusted
Identity Provider (Facebook) Going “beyond authentication” to surface
Facebook data in SharePoint and vice versa
Before we begin…
How many of you are… Developers? System administrators? IT professionals? Others?
Integrating SharePoint 2010 with an identity provider such as Facebook will present different challenges for each role
Authentication vs.Authorization
Authentication
Authentication (AuthN) is the process of validating a user’s identity SharePoint never performs
authentication If the login prompt keeps appearing,
think authentication issue! Unless it’s the dreaded
loopback check!
Authorization
Authorization (AuthZ) is the process of determining the resources, features, etc. to which an authenticated user has access
If you see “Access Denied” errors, think authorization issue!
Claims based identity
What is a claim? A piece of information describing a user▪ Name▪ Email Address▪ Role/Group membership▪ Age▪ Hire Date
Whose claims do I trust, and which claims affect authorization decisions I make?
Claims terminology
Token Serialized set of claims about an authenticated
user, digitally signed by the token’s issuer Identity Provider (IP)
Validates user credentials Security Token Service (STS)
Builds, signs, and issues tokens containing claims Relying party (RP)
Applications that makes authorization decisions based on claims (SharePoint 2010)
Claims-Based IdentityTechnologies
WS-Trust, WS-Federation, SAML Requesting/receiving tokens XML representation of claims
These emerging technologies have been around for awhile Their use in Claims-Based Identity represents a
new approach for handling identity in applications Great potential in corporate environments▪ Active Directory Federation Services, external LDAP, etc.
Great potential as we move to the cloud▪ Azure ACS: Facebook, Google, Windows Live ID, etc.
The Claims paradigm
Decoupling of authentication logic from authorization and personalization logic Applications no longer need to determine who
the user is, they receive claims identifying the user
Great for developers who rarely want to work with identity!
Provides a common way for applications to acquire the identity information they need about users
The Claims paradigm
1. “I’d like to access this protected resource.”2. “I don’t know who you are. Identity provider,
authenticate him.”3. “My user ID is Danny and my password is
BaCoNbAcOn!!1.”4. “Hi, Danny. Here is a token you can
use containing attributes about you.”5. “I’d like to access this resource;
hopefully it has the proof you needto authorize me!”
SharePoint 2010
Almost demo time!
Our demo scenario
The Federal Bacon Administration is a highly innovative (and flavorful) new government agency that is standing up a new public-facing web site using SharePoint 2010
They want users to sign in using their Facebook accounts and bring information from Facebook into SharePoint (and vice versa)
SharePoint 2010 options
Claims Based Authentication (Tokens) Windows Authentication: NTLM/Kerberos, Basic Forms-Based Authentication (ASP.NET
Membership provider and Role manager) Other Trusted Identity providers (like
Facebook!) Classic Mode Authentication (“Old
School”) Windows Authentication (NTLM/Kerberos) only
Both map authenticated users to SPUser objects (security principals)
Classic or Claims?
The single biggest decision of your life!
Updated TechNet guidance: “For new implementations of SharePoint
Server 2010, you should consider we recommend claims-based authentication.”
http://technet.microsoft.com/en-us/library/cc262350.aspx
Sign-In Page
Allows users to choose how to authenticate when multiple providers are configured(Mixed Authentication)
Custom code opportunity http://
www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx
Claims Viewer Web Part
Visual Web Part Code behind:
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=32
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;GridView1.DataSource = claimsIdentity.Claims;Page.DataBind();
New SharePoint 2010 web application with ClaimsDemo #1
Windows Azure AppFabricAccess Control Services (ACS)
Azure AppFabric ACS
Cloud-based service that provides an easy way of authenticating and authorizing users to gain access to web applications
Includes support for Windows Live ID, Google, Yahoo, and Facebook
Also includes support for Active Directory Federation Services (AD FS) 2.0
Simple browser-based management portal $1.99/100k transactions (free until Nov.
30!)
Adding Facebook support
Three things must be done to add support for users to login to SharePoint via Facebook:
1. Create a Facebook application https://developers.facebook.com/apps
2. Configure ACS for Facebook support Permissions you will request from Facebook
users Relying Party application and Rule Group setup
3. Configure ACS as a Trusted Identity Provider in SharePoint
Is ACS necessary?
No! You can integrate external identity providers with SharePoint without ACS You have no choice if you want to use
identity providers not currently supported by ACS (such as LinkedIn or Twitter)
You will need to write your own code to: Ensure the user has logged in to the IP Obtain claim information from the IP Package and sign tokens (your own STS)
Create a Facebook applicationDemo #2
Create Facebook Application
Click “Create New App” Provide Display Name and
Namespace
Note App ID and App Secret values Provide Website URL to ACS
Configure Azure AppFabric ACS for FacebookDemo #3
Configure ACS IP
From the ACS management portal, add a new Identity Provider
Configure ACS IP
Enter App ID and App Secret values from Facebook application you created earlier
Enter a comma-delimited list of Application Permissions you want to request https://developers.facebook.com/docs/referenc
e/api/permissions/
In our demo, we will request: email,user_location,user_hometown,user_website,user_work_history,publish_stream,user_birthday,friends_birthday
Configure ACS IP
Permissions you request will be displayed to the end user the first time they log in
Request the minimum subset of permissions you need Users are more likely to reject bigger requests
Configure ACS Rule Group
Generate Rule Group Named set of claim rules that define which
identity claims are passed from identity providers to your relying party application
SharePoint will still need to be configured to make use of these claims
Configure Relying Party
Configure Relying Party application Provide Name, Realm, and Return
URL Return URL: Realm + /_trust
Configure Relying Party
Choose SAML 1.1 token format Update Token lifetime to >600
seconds
Select Identity providers and Rule groups
Configure Relying Party
Generate self-signed certificate C:\Program Files\Microsoft Office Servers\14.0\Tools>MakeCert.exe -r -pe -n "CN=dannyjessee.accesscontrol.windows.net" -sky exchange -ss my(Self-signed, exportable, subject key type “exchange,” store in “personal” certificate store)
Development only! Please use a legitimate certificate in production!
Configure Relying Party
Upload this certificate (.pfx format) as the Token Signing Certificate in ACS
Configure ACS as a SharePoint Trusted Identity Provider (IP)Demo #4
Configuring ACS Trusted IP
New-SPTrustedRootAuthority Name, Certificate (self-signed .cer made
earlier)New-SPClaimTypeMapping
IncomingClaimType IncomingClaimTypeDisplayName LocalClaimType (or SameAsIncoming)
New-SPTrustedIdentityTokenIssuer Name, Realm, ImportTrustCertificate ClaimsMappings, SignInUrl, IdentifierClaim
Configuring ACS Trusted IP
Running this PowerShell script will add “Facebook” to the list of Trusted Identity Providers
Eligible to be added to Claims-based web applications in Central Administration
Granting user permissions
Before Facebook users will be authorized to access anything, we must grant them an appropriate level of permissions
Best to set a “Full Read” web application policy for users coming in from Facebook In a public-facing scenario, you likely won’t
know specific user identities to set more granular permissions
Not to mention the people picker problems!
Logging in with FacebookDemo #5
Claims mappings visualized
All claims whose OriginalIssuer isTrustedProvider:Facebook
AccessToken is the key to all user data
Going beyond authentication Make calls to the Facebook Graph API
https://developers.facebook.com/docs/reference/api/
Retrieve data about the user and his/her friends
Upload photos/videos, post status messages Data returned from Facebook in JSON format Requests to https://graph.facebook.com/...▪ me/feed, me/friends, me/photos, me/videos
Configuring trust
SharePoint maintains its own certificate store where separate trusts must be configured
http://dannyjessee.com/blog/index.php/2011/12/required-trust-relationships-for-the-facebook-c-sdk-in-sharepoint-2010/
Need to upload two certificates in Central Admin (Security > Manage Trust): DigiCert High Assurance EV Root CA DigiCert High Assurance CA-3
Cool custom code!Demo #6
To the non-devs among us…
I’m sorry! Time to geek out with some code Nothing particularly special about
this code, any .NET developer should be able to work similar magic
Examples use the Facebook C# SDK http://csharpsdk.org
A note about code snippets
Code snippets in these slides are not complete Do not include proper error
checking/handling Do not show proper impersonation of
System Account where necessary Please download the code
Do not copy and paste from these slides I will Tweet the link and update this slide
deck to include it
Access token
Returned in a claim from Facebook A new AccessToken is issued each login Our key to all of the data about the logged in user Required for all calls to the Facebook Graph API
Two hour lifetime by default To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag web.AllProperties[“fbAccessToken_{loginname}”] AllProperties required for case sensitivity
Update display name
Change to Initial display name for the SPUser is
based on the specified IdentifierClaim Make this friendlier – we know their name!
if (SPContext.Current.Web.CurrentUser == null){ SPUser user = web.EnsureUser("i:" + claimsIdentity.Name); currentUser.Name = givenName; currentUser.Update();}
Weather web part
var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");JsonObject location = me["location"] as JsonObject;myLocation = (string)location["name"];
myLocation is in City, State format Parsed and sent to Weather Underground
API http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/[city].json
Contact list updater
var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>)client.Get("me");SPList lstContacts = web.Lists["Contacts"];SPListItem item = lstContacts.Items.Add();item["First Name"] = (string)me["first_name"];item["Last Name"] = (string)me["last_name"];JsonArray work = me["work"] as JsonArray;// Most recent/current employer stored in work[0]JsonObject company = work[0] as JsonObject;JsonObject employer = company["employer"] as JsonObject;JsonObject position = company["position"] as JsonObject;item["Company"] = (string)employer["name"];item["Job Title"] = (string)position["name"];item.SystemUpdate();
Friends’ birthdays calendar
var client = new Facebook.FacebookClient(token);var me = (IDictionary<string, object>) client.Get("me/friends?fields=name,birthday");JsonArray friendData = me["data"] as JsonArray;foreach (JsonObject friend in friendData){ if (friend.ContainsKey("birthday")) { /* Some users share MM/DD of birthday, others share
MM/DD/YYYY We only care about MM/DD for our purposes, and Facebook always pads with leading zeros */ string birthday = (string)friend["birthday"]; birthMonth = int.Parse(birthday.Substring(0, 2)); birthDate = int.Parse(birthday.Substring(3, 2)); ...
Friends’ birthdays calendar
SPList lstCalendar = web.Lists["Calendar"];SPListItem birthdayItem = lstCalendar.Items.Add();birthdayItem["Title"] = name + (name.EndsWith("s") ? "' birthday" : "'s birthday");birthdayItem["EventDate"] = dtBirthday;birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;birthdayItem[SPBuiltInFieldId.EventType] = 1;birthdayItem[SPBuiltInFieldId.fRecurrence] = true;birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;string recurrence = "<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +"<repeat><yearly yearFrequency='1' month='" + birthMonth.ToString() + "' day='" + birthDate.ToString() + "' /></repeat>" +"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";birthdayItem["RecurrenceData"] = recurrence;birthdayItem.SystemUpdate();
Post a status update
var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string, object>();dict.Add("message", "Yay for Claims-Based Identity, Facebook, SharePoint, and Bacon!");dict.Add("link", "http://sharepointsaturday.org/boston");dict.Add("picture", "http://www.sharepointsaturday.org/boston/SiteImages/2012_SPS_Logo_300.jpg");dict.Add("name", "SharePoint Saturday Boston Home Page");dict.Add("caption", "April 28, 2012");dict.Add("description", "Come see my presentation about Claims-Based Identity in SharePoint 2010 at SPSBOS!");client.PostAsync("me/feed", dict);
Post a video
var client = new Facebook.FacebookClient(token);Dictionary<string, object> dict = new Dictionary<string, object> { { "title", "I know how to post videos to Facebook...from SharePoint!" }, { "description", "See more at SPSBOS April 28, 2012!" }, { "vid1", new FacebookMediaObject { ContentType = "video/x-flv", FileName = "facebook.flv" }.SetValue(File.ReadAllBytes(@"C:\facebook.flv")) }};client.PostAsync("me/videos", dict);
Silverlight webcam photo
Silverlight application courtesy MossLover
Interfaces with the user’s webcam, saves captured images to document library
Silverlight webcam photo
Added event handler to upload to Facebook
string contentType = "image/jpeg";var client = new Facebook.FacebookClient(fbAccessToken);Dictionary<string, object> dict = new Dictionary<string, object> { { "message", "Uploaded picture from Silverlight webcam image capture in SharePoint!" }, { "pic1", new FacebookMediaObject { ContentType = contentType, FileName = properties.ListItem.File.Name }.SetValue(properties.ListItem.File.OpenBinary()) }};client.PostAsync("me/photos", dict);
Thanks to our sponsors!
Thanks for your time!
Backup slides
FBA in SharePoint 2010
Similar to FBA setup for MOSS, with some exceptions: Authentication provider does not need to be
mapped to a separate zone One additional Web.config to modify:▪ C:\Program Files\Common Files\Microsoft Shared\
Web Server Extensions\14\WebServices\SecurityToken
▪ Add entries for connection string, Membership provider, Role manager
▪ Same modifications for Central Admin and web app
Claims “Gotchas”
Claims “Gotchas”
General issues for all Claims implementations Search crawler requires NTLM in the zone it uses “People picker” is more of a Claims “expression
editor”▪ Custom code opportunity
User Profiles▪ LDAP or BCS connection to authentication store
Office client integration (2007 SP2+, 2010)▪ IE 8+: Trusted Sites
No document previews with FAST Search
Real-Life Testimonial
“After migrating to Claims in SharePoint 2010, most of our users were able to log in some of the time.”
—A less-than-thrilled system administrator
Claims “Gotchas”
Migration from MOSS to SharePoint 2010 Migrate FBA Users▪ $wa = get-SPWebApplication $WebAppName▪ $wa.MigrateUsers($true)
Portalsuperuser and Portalsuperreader properties need to be updated to reflect Claims-encoded format▪ $wa.Properties["portalsuperuseraccount"] = "i:0#.w|domain\
apppool"▪ $wa.Properties["portalsuperreaderaccount"] = "i:0#.w|
domain\apppool"▪ $wa.Update()
Must migrate all providers from MOSS to 2010▪ i.e., NTLM and FBA if both existed prior to migration
Claims Behaving Badly
“Funky” display of usernames i:0#.w|SHRPNT\Administrator i:0#.f|CustomMembershipProvider|
username i:0#.t|selfsts|test@contoso.com▪ i: Microsoft.SharePoint.Administration.Claims.
SPClaimsAuthMembershipProvider (Web.config)▪ windows, forms, trusted Identity Provider
Claims Behaving Badly
Set DisplayName property of SPUser $user = Get-SPUser -Web
http://abc.shrpnt.loc -Identity "i:0#.f|CustomMembershipProvider|username"
$user.DisplayName = "John Doe" $user.Update()
Can also be done via SharePoint object model
Claims Behaving Badly
Session expiration issues with SAML Claims Users can come back to the page hours
later without having to log in again SharePoint creates a FedAuth cookie
(written to disk) that is not a Session cookie by default▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.UseSessionCookies = $true▪ $sts.Update()
Claims Behaving Badly
Continuous redirection to/from login page This can happen when the TokenLifetime is
less than the LogonTokenCacheExpirationWindow▪ Default LogonTokenCacheExpirationWindow in
SharePoint 2010 STS is 10 minutes▪ Default Token Lifetime in Azure ACS is also 10
minutes▪ $sts = Get-SPSecurityTokenServiceConfig▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 1)▪ $sts.Update()
Claims Behaving Badly
Go to the login page, enter valid credentials, press the “Log In” button, and…get redirected back to the login page (once) Check the ULS logs!▪ Could be token expiration timeout▪ Could be something else
Claims Behaving Badly
SPSecurityTokenService.Issue() failed:System.Runtime.InteropServices.COMException (0x800703FA): Retrieving theCOM class factory for component with CLSID{BDEADF26-C265-11D0-BCED-00A0C90AB50F} failed due to the following error: 800703FA. GPEdit: Computer Configuration >
Administrative Templates > System > User Profiles▪ Do not forcefully unload the users registry at user
logoff > Set to “Enabled”
Claims Recommendations
Claims Recommendations
Stick with Classic Mode Authentication if you are deploying SharePoint into a “simple” Active Directory environment Particularly if strict security controls are
in place that are beyond your control Especially if you are only migrating from
Windows authentication in MOSS Once you go to Claims, you can’t go
back!
Claims Recommendations
If you must use Claims for your Extranet,try to minimize the number of zones/host headers used Default zone should be most secure
Have a good “troubleshooter’s toolbox” ULS Log Viewer Fiddler Claims Viewer web part
References & Credits
References & Credits
Shane Young – my hero! http://sharepoint911.com
Plan Authentication Methods(SharePoint Server 2010) http://
technet.microsoft.com/en-us/library/cc262350.aspx
A Guide to Claims-Based Identity and Access Control (Microsoft Patterns and Practices) http://claimsid.codeplex.com/
References & Credits (cont.)
Writing Claims Providers for SharePoint 2010 http://
msdn.microsoft.com/en-us/library/ff699494.aspx
Implementing Claims-Based Authentication with SharePoint Server 2010 http://
www.microsoft.com/download/en/details.aspx?id=27569
References & Credits (cont.)
Transparent Login with Mixed Authentication http://
www.orbitone.com/en/blog/archive/2010/06/23/sharepoint-2010-mixed-authentication-automatic-login.aspx
C# Facebook SDK http://facebooksdk.codeplex.com
Azure ACS and Facebook http://
msdn.microsoft.com/en-us/library/gg185967.aspx
References & Credits (cont.)
Steve Peschka http://
blogs.technet.com/b/speschka/archive/2010/06/12/migrating-a-web-application-from-windows-classic-to-windows-claims-in-sharepoint-2010.aspx
http://msdn.microsoft.com/en-us/library/hh147183.aspx
Project Server Blog (GREAT tips for migrating to Claims here!!!) http://nearbaseline.com.au/blog/tag/clai
ms/
References & Credits (cont.)
SelfSTS and Vittorio Bertocci http://
archive.msdn.microsoft.com/SelfSTS http://
blogs.msdn.com/b/vbertocci/archive/2010/08/23/selfsts-when-you-need-a-saml-token-now-right-now.aspx
Paul Schaeflein http://
www.schaeflein.net/blog/Lists/Posts/Post.aspx?ID=4
References & Credits (cont.)
Claims Viewer web part http://blogs.pointbridge.com/Blogs/nielse
n_travis/Pages/Post.aspx?_ID=32
Fiddler http://www.fiddler2.com/fiddler2/
SharePoint ULS Log Viewers http://sharepointlogviewer.codeplex.com
/ http://ulsviewer.codeplex.com/
References & Credits (cont.)
Azure ACS Integration http://
blogs.objectsharp.com/cs/blogs/steve/archive/2011/04/21/windows-azure-access-control-services-federation-with-facebook.aspx
http://www.7388.info/index.php/article/studio/2011-07-29/20983.html
Robert Bogue http://www.sharepointshepherd.com