How Microsoft SharePoint 2010 is built with Windows Identity FoundationSesha ManiSenior Program ManagerMicrosoft Corporation
SVC26
Agenda
> SharePoint 2007 – identity challenges> Claims-based identity and Windows
Identity Foundation (WIF)> SharePoint 2010 – new identity
architecture – “Claims-based identity”> Map new architecture to customer’s
existing problems & future needs
SharePoint 2007 – Identity Challenges> 1. Authentication is intertwined within SharePoint
2007
> 2. Requires complex configuration for identity delegation
> 3. Access control only through attribute providers > Active Directory, Role Providers
> Are these challenges unique to SharePoint 2007?> These are identity challenges common to all
applications…
> What is the solution? What do we need to do?
And we did …
NEW path to identity in SP2010 …
CLAIMS-BASED IDENTITY …
SharePoint 2007 – Identity Flow
Authentication methods
SharePoint Web Application
Windows integrated
Membership & Role Providers
Web SSO
Access control
Roles protected
Anonymous access Windows Identity
SharePoint Service Applications
Content Database
Trusted sub-systems
Client
WIF WIF
Claims protected
WIF – SPSTS
Claims-aware
SP-STS
Auth
App logi
c
Windows Identity
SharePoint 2010 – Identity Flow
Services Application Framework
Windows ASP.Net (FBA)
Claims Based Identity
SAML Web SSO
Benefits of claims model for SharePoint 2010> Support existing identity infrastructure
> Active Directory> LDAP, SQL> WebSSO and Identity Management Systems
> Multiple authentication methods per SharePoint Web Application
> Enable automatic, secure identity delegation> Cross-machines & cross-farm
> Support “no-credential” connections to External web services
> Standards-based and Interoperable
Identity in SharePoint 2010 is built on WIF
> Fundamental shift in identity in SP2010
> Windows Identity Foundation (WIF)> Framework for building claims-aware applications
& STS > Standards-based and interoperable> Targets ASP.NET and WCF developers
> WS-Federation (Passive) ASP.NET> WS-Trust (Active) WCF
> Offers unified programming model
Three Themes
“Externalizing Authentication”
<Identity into SharePoint>
Authentication methods
SharePoint Web Application
“Identity normalization”
<Identity inside/out of SharePoint>
Access control
“Support existing identity
infrastructure”
<Identity inside SharePoint>
SearchServices Application
Content Database
Client
Services Application FrameworkApp
logic
SP-STS
Auth
WIF WIFWIF – SPSTS
IClaimsPrincipal
IPrincipal
“Identity normalization”
Theme-1: Externalizing Authentication
“Externalizing Authentication”
Authentication methods
SharePoint Web Application
Access control
“Support existing identity
infrastructure”
Search Services Application
Content Database
Client
Services Application FrameworkApp
logic
SP-STS
Auth
WIF WIFWIF – SPSTS
IClaimsPrincipal
IPrincipal
“Externalizing Authentication”
SharePoint Web Application
App logi
c
SP-STS
Auth
WIF – SPSTS
“Externalizing Authentication” - Sign-In Methods> Sign-in methods supported in SP2010:
NT TokenWindows Identity
ASP.Net (FBA)SQL, LDAP, Custom …
SAML TokenClaims Based
Identity
SPUser
NT TokenWindows Identity
SAML1.1+ADFS, etc.
-Classic -Claims
SharePoint-STS
“Externalizing Authentication” – 1000 ft view
trust
SharePoint Web
ApplicationFrank Miller
1. Attempt access
Fabrikam EnterpriseFarm-AWindows claims
2. Redirect to STS for
auth
3. Post Token{SP-Token}
2.2 Augment claims
3.1 Extract Claims and construct IClaimsPrincipal
2.1 Authenticate user
Web Application
Windows Authentication
Module
Cookie Management
SharePoint-STS
“Externalizing Authentication” – 50 ft view > Scenario: Web application configured with Windows Claims
WS-Federation Authentication
Module
Session Authentication
Module
BrowserClient
WS-Federation
Passive Serializer
Security Token
Service
IIS ASP.NET
3
1
5
46
7
8. Cookie
2
Externalizing authentication in SharePoint 2010 using WIF
demo
“Identity normalization”
Theme-2: Identity Normalization
“Externalizing Authentication”
Authentication methods
SharePoint Web Application
Access control
“Support existing identity
infrastructure”
SearchServices Application
Content Database
Client
Services Application FrameworkApp
logic
SP-STS
Auth
WIF WIFWIF – SPSTS
IClaimsPrincipal
IPrincipal
“Identity normalization”
SharePoint Web Application
Access control
SearchServices Application
WIF
SharePoint Services Scenarios
> Show user’s PayStub in LOB data without credentials (intranet)
> Show real-time order status from supplier inside the enterprise Portal (extranet or internet)
> Securely deploy SharePoint farm(s) for user identity delegation
> Access external services – Business Connectivity Services
Services in SharePoint 2010 – a primer
> SharePoint Services Application Framework is made claims-aware
> WIF enables services to have access to both user and service identities
WCF (Windows Communication Foundation)
WIF (Windows Identity Foundation)
.NET
SharePoint Services Application Framework (Claims/Services)
Excel Services
Search Services
Other Services
Project Services
Secure Store
Services
WSTrust Support
FARM-A
“Identity normalization” – Services in Single FarmWIF – Identity Delegation Feature
SharePoint-STS
Web PartSearch
Services Application
WS-Trust Proxy Client
1
WS-Trust Endpoint
s
2
Gate Keeper
trust 3
4
5
6
Fabrikam EnterpriseFarm-AWeb App to Service
T1 {User} T2 {User, Process}
T2
FARM-B
FARM-B
FARM-A
FARM-A
FARM-A
“Identity normalization” – Services in Cross-farmWIF – Identity Delegation Feature
SharePoint-STS
Web PartSearch
Services Application
WS-Trust Proxy Client
1
WS-Trust Endpoint
s
2
Gate Keeper
trust 3
4
5
6
Fabrikam EnterpriseFarm-A to Farm-BWeb App to Service
SharePoint-STS
WS-Trust Endpoint
s
trusttrust
Identity normalization in Services using Claims
demo
“Identity normalization”
Theme-3: Non-claims aware services
“Externalizing Authentication”
Authentication methods
SharePoint Web Application
Access control
“Support existing identity
infrastructure”
SearchServices Application
Content Database
Client
Services Application FrameworkApp
logic
SP-STS
Auth
WIF WIFWIF – SPSTS
IClaimsPrincipal
IPrincipal
“Support existing identity
infrastructure”
SharePointServices Application
Content Database
WIF
IPrincipal
“Non-claims-aware Services”WIF – Claims to Windows Token Service
> In reality, not all the services you interact with are going to be “claims-aware”
> SharePoint has diversified categories of services, SQL etc.,
> How would you interact with a Service that requires Windows identity?
> Solution is “Claims to Windows Token Service” (C2WTS)> UPN claim converted to Windows Token
Linking non-claim-aware services using “Claims to Windows Token Service”
demo
Three Themes - Recap
“Externalizing Authentication”
<Identity into SharePoint>
Authentication methods
SharePoint Web Application
“Identity normalization”
<Identity inside/out of SharePoint>
Access control
“Support existing identity
infrastructure”
<Identity inside SharePoint>
SearchServices Application
Content Database
Client
Services Application FrameworkApp
logic
SP-STS
Auth
WIF WIFWIF – SPSTS
IClaimsPrincipal
IPrincipal
Lessons Learned …
Migrating to claims-based model – where to startIt is not “ALL or Nothing” dealClaims-enable in phases: authentication, authorization, services
Lessons Learned – contd.
> Performance > Performance Milestone drove changes in WIF> Optimizations made to achieve the perf goal:
> Number of claims> Number of service calls per page> Number of round trips to SP-STS per service request> Caching (ChannelFactory and tokens)
Lessons Learned – contd.> Edge cases & assumptions
> Cookie size limitation> Existing code had many assumptions about
identity, each had to be uncovered and mapped
> Clients integration> Consider client types to be supported
> SP 2010 had Browser, Active, Designer tool clients> Both passive and active end points implemented
on SharePoint STS
Summary
> SharePoint 2010 achieves NEW path to identity using WIF’s claims-based identity model
> Key takeaways> Single model - claims-based identity model> Standards based & Interoperable
> We have stepped up to the challenge
> Not only SharePoint, your applications too can benefit from WIF’s claims-based identity model , Get onboard!
> Identity sessions> PR11: Leveraging & Extending SharePoint Identity Features> SVC02: Windows Identity Foundation Overview> SVC10: Software + Services Identity Roadmap> SVC17: Enabling SSO to Windows Azure Applications> SVC19: REST Security Services in Windows Azure using the Access
Control Service> SVC28: System.Identity Model Accessing Directory Services
> Come visit us at the booth in the pavilion!
> Try a hands on lab> Introduction to Windows Identity Foundation> Using WIF to Secure Windows Azure Applications
Other Identity Sessions @ PDC2009
YOUR FEEDBACK IS IMPORTANT TO US!
Please fill out session evaluation
forms online atMicrosoftPDC.com
Learn More On Channel 9
> Expand your PDC experience through Channel 9
> Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses
channel9.msdn.com/learnBuilt by Developers for Developers….
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.