Date post: | 06-Dec-2014 |
Category: |
Technology |
Upload: | thomas-vochten |
View: | 1,795 times |
Download: | 5 times |
SharePoint 2013 with ADFS
#SPSSTHLM02Thomas VochtenJanuary 25th, 2014
SharePoint Saturday
Stockholm
Thanks to our sponsors!
SharePint
Silver
Bronze
Raffle
Platinum
Gold
About me Thomas VochtenSharePoint Server MVP
Involuntary DBA
Platform Architect
@thomasvochten
http://thomasvochten.com
Agenda Claims based identity
ADFS and SharePoint together
Setting up & Configuring
Challenges
Claims based identity in a nutshell
Claims based identity
Claims based identity
Claims based identity
• Not a new concept• Claims provide abstraction• Authentication versus Authorization
Authorization decisions are based on claims
Some claims examples• Your name• Your email address• Your social security number• Your memberships• Your user account• Your booking reference• Your employment status• …
Authorization based on tokens
Classic Mode Authentication Claims Mode Authentication
Windows Token Claims Token
Default in SharePoint 2013
Default in SharePoint 2007, 2010
Claims Token
Claim
Claim
Claim
Claim
Signature
Name
Age
Location
Token
Vocabulary• Claim• Security Token• Identity Provider (IdP)• Relying Party (RP)• Security Token Service (STS)• Realm
Claims in SharePoint 2013
3 types of claim providers
• Windows• Trusted Provider (SAML)• Forms Based Authn
Multiple Authn providers possible in the same zoneClassic mode only via PowerShell
ADF
S
Identity Normalization
NT TokenWindows Identity
ASP.Net (FBA)LDAP, Custom
…
SAML TokenLiveID, ADFS,
Others
Anonymous User
SAML TokenClaims Based
Identity
SPUser
Windows Claims• NTLM or Kerberos are not dead• Single sign on in a domain environment• Used by SharePoint internally• Claims to Windows Token Service (c2wts)
Trusted Provider Claims• SharePoint as relying party• Needs an external identity provider such as ADFS• Based on open standards (SAML, WS-*)• Login experience: browser redirects
Identity Provider (IP)
ActiveDirectory
Security Token Service (STS)
User / Subject /Principal Requests token for AppX
Issues Security Tokencrafted for Appx
Relying party (RP)/Resource provider
Issuer IP-STS
Trusts the Security Tokenfrom the issuer
The Security TokenContains claims about the user
For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values
Security Token “Authenticates” user to the application
ST
Signed by issuer
AppX
Authenticates user
© John Craddock
Use Cases• Cloud (what did you think)• Extranets• Mergers & acquisitions• Cross-forest authentication• Replacement for domain trusts• Advanced identity scenario’s
Federation
Single Sign On
Process token
Home realm discovery
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
YourAD FS 2.0 STS
YourClaims-aware app
ActiveDirectory
Partneruser
PartnerAD FS 2.0 STS & IP
Redirected to your STS
Authenticate
Send Token
Return cookiesand page
Browse app
Not authenticated
Redirect to your STS
ST
ST
ST
ST
App trusts STS Your STStrusts your
partner’s STS
© John Craddock
ADFS and SharePoint
Solutions on the market• CA SiteMinder• Shibolleth• Oracle Access Manager• IBM Tivoli Access Manager• Active Directory Federation Services• Custom solutions using WIF• …
Why ADFS ?• Natural candidate for SharePoint• Supports the necessary standards• Integration with Active Directory• Often used as a go-between• Powerful capabilities• Free with Windows Server license
ADFS Wiki on TechNet: http://thvo.me/adfswiki
Simplified Logon Process with ADFS User connects to SharePoint SharePoint redirects to ADFS ADFS checks username and password ADFS creates a token, signs it and puts it in a cookie ADFS redirects to SharePoint with that cookie SharePoint STS validates & extracts the claims from the token SharePoint STS creates another cookie for internal use
(FedAuth) SharePoint performs authorization User connects to the web application
Installing ADFS
Windows Server 2008 R2 ADFS 2.0 (free download)
Windows Server 2012 ADFS 2.1 (included)
Windows Server 2012 R2 ADFS 3.0 (included)
Configuration is stored in
• Windows Internal Database (standalone)• SQL Server (farm)
Install-WindowsFeature ADFS-Federation -IncludeManagementTools
Configuring ADFS
• Run the configuration wizard
• Create or join a federation service
• Specify a federation service name (URL)
Prepare ADFS for SharePoint• Export the token signing certificate• Configure SharePoint as a relying party• Configure claim rules
DemoConfigure ADFS for SharePoint
Prepare SharePoint for ADFS• Import the token signing certificate• Create a Trusted Security Token Issuer pointing
to ADFS• Configure the web application to use ADFS• Configure administrator permissions
Create the Trusted Security Token Issuer
# Import the ADFS token signing certificate to SharePoint
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\TokenSigning.cer")New-SPTrustedRootAuthority -Name "token signing certificate" -Certificate $cert
# Define the claims type mappings
$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
Create the Trusted Security Token Issuer
# Create the trusted identity provider
$realm = "urn:sharepoint:spssthlm"
$signInURL = "https://adfs01.lab.thvo.net/adfs/ls"
$issuer = New-SPTrustedIdentityTokenIssuer -Name "ADFS" -Description "ADFS Trusted Identity Provider" ` -Realm $realm -ImportTrustCertificate $cert ` -ClaimsMappings $emailClaimMap,$roleClaimMap,$upnClaimMap ` -SignInUrl $signInURL ` -IdentifierClaim $upnClaimMap.InputClaimType
Modify your web application• Change the web application authentication
provider
DemoConfigure SharePoint for ADFS
Challenges
People Picker• Most significant functional difference• Will resolve any claim by default
Custom Claims Provider
Implement a custom claims
provider
Custom Claims Provider• Augmentation• Name resolution
• Deployed as a full-trust solution file• Implements methods for searching in directories• Dependent on the “Microsoft SharePoint
Foundation Web Application”
https://ldapcp.codeplex.com/
Custom Claims Provider
Claims Encoding
i:0#.t|federation|thomasvochteni:0#.w|lab\thomasvochten
© Wictor Wilén
Multiple web applications• Tying multiple web applications to the same
Security Token Issuer• By default, only one realm is configured• Make sure you create a relying party in ADFS too
$ap = Get-SPTrustedIdentityTokenIssuer "ADFS"$uri = new-object System.Uri("https://spssthlm-mysites.lab.thvo.net/_trust/")$ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlm-mysites")$ap.Update()
Host Named Site Collections
Treated like a web application in ADFS:Create a relying party for every HNSC !
$ap = Get-SPTrustedIdentityTokenIssuer "ADFS"$uri = new-object System.Uri("https://www.spssthlm.se/_trust/")$ap.ProviderRealms.Add($uri, "urn:sharepoint:spssthlmpublic")$ap.Update()
Cross web application authentication• The FedAuth cookie contains only a single
domain• Cross-webapp requests are not authenticated
automatically• You have to logon to both webapps first• OOB Solution for user profile pictures:
$wa = Get-SPWebApplication https://spssthlm.lab.thvo.net$wa.CrossDomainPhotosEnabled = $true$wa.Update()
Search• Search needs Windows Authentication to crawl• Configure multiple authentication methods
(beware) or• Set up multiple zones
Cookies• Session cookies vs persistent cookies• Don’t forget the Office client• When do sessions expire? • Get-SPSecurityTokenServiceConfig
Certificates• Import the signing certificate root into
SharePoint too if needed• Import the SharePoint Root Authority certificate
into the trusted issuers on the SharePoint box
SharePoint Hosted Apps• SharePoint apps will not work for the scenario
where SharePoint is using SAML authentication and the application itself is also hosted in SharePoint. However it WILL work if the SharePoint site is using SAML authentication and the application is hosted in Azure or provider-hosted
User Profile Service• Specify the ADFS server when configuring the
import connection• No matching between logged on user & user in
profile service• Check the “Claim User Identifier” in user profile
properties
Publishing to the internet• Federation service URL must be identical on the
intranet / internet• Use Split DNS to achieve this goal• Publish ADFS directly or via an ADFS Proxy• UAG 2010 can be a ADFS proxy too
Federation• A chain of trusted/trusting identity providers• Configure relying parties• Configure claims provider trusts• You probably want to play around with custom
claim rules here
Other tips• Choice of the unique identity claim is very
important• Home realm discovery
• Always use SSL, it doesn’t work without it• Most backend systems don’t understand SAML
claims
Useful tools• ULSViewer• Fiddler
DemoCommon issues an their solutions
Key Takeaways• Known the basics of claims based AuthN• Be aware:
- custom claims providers- multiple web apps or HNSC- cookies- user profile service
• ADFS does not only mean Active Directory• Not only for partner to partner federation
scenario’s
Q & A#spssthlm #spssthlm02@thomasvochten
...and visit our sponsors who made this day possible!
Thank you!
Please rate this session...