SharePoint, ADFS, ACS and Claims-based Authentication

Kashif ImranKashif_Imran@hotmail.com

Agenda

• Claims-based Identity Model’s Key Concepts

• Install and Configure ADFS for SharePoint 2013

• Configure Azure ACS and SharePoint for SSO using Google etc.

• Use ADFS as IP-STS via Azure ACS as RP-STS

• Claims Viewer

• Custom Claims Provider

Claims with SharePoint is sort of like a bird, it’s pretty cute until it shits on your head.

I drink beer to celebrate major events, the fall of communism, or the fact that our SharePoint and ADFS is still working.

Identity in Traditional Applications

• Application

• Identity Management• Account creation

• Password creation

• Password change

• Password reset

• …

• 2 Step Verification

• Attribute Store

Identity in Real World

• Buy wine/beer example

• Externalize authentication to DMV

• Driving license• document that is relatively hard to produce/forge

• Has additional information about user (age)

• International Travel• Passport

• Boarding Card

Claims-based Identity Model

• Way for applications to acquire the identity information about internal or external users

• Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority”

• Applications do not need to authenticate users, store user accounts or passwords, etc.

• Original intention behind the claims-based identity model was to enable federation between organization, but claims are not justfor federation

• Claim• Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc.• Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up

in some directory• Assert user has logged in• Claims are NOT what a user can or can not do, they are what a user is or is not• Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer• Issuer, Type, Value => (Google, Email, darwaish@gmail.com)

• Security Token• Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in)• Successful outcome of sign in• SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)

Relying Party and STS

• Relying Party (RP)• An application that relies on claims• Claims aware application• Claims-based application

• Security Token Service• Service component that builds, signs and issues security tokens• Implicit authN (no token, no party)• WS-Trust, WS-Fed, SAML• IP-STS:

• authenticates a client and creates SAML token• Façade for one or more identity stores

• RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS)• Transforms token issues by another STS• Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts• Façade for one boundary

• Federation Patterns• Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies.• Active: Code to acquire tokens explicitly

Windows Identity Foundation (WIF)

• .NET library encapsulating the inner workings of WS-Federation and WS-Trust

• System.IdentityModel

• System.IdentityModel.Services

• IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType, IsAuthenicated, Name)

• IClaimsPrincipal = IPrincipal + Identities

• IClaimsIdentity = IIdentity + Claims

• Claims: Property bag, Subject, issuer, originalissuer, claimtype, value, valuetype

ADFS V2: Active Directory Federation Services

• STS

• WS*(WS-Trust, WS-SecurityPolicy, WS-Federation, SAML)

• Claims provider

• Federation service for identity across domains

• Consumers: SharePoint, Azure ACS, WCF, Others

• Federation Metadata:• How do RP know its from STS• What claims• Where is STS

• SAML Claims

SharePoint Authentication

• Windows (Classic) Authentication: NTLM, Kerberos(Multi hop)

• Claims Based AuthN

• Claims or Classic in the end you are SPUser

• C2WTS(Claims to windows token service)

SharePoint with ADFS

Federating Identity

The Hub Model

Windows VS Trusted Identity Authentication

Claims Viewer

IClaimsPrincipal principal = Page.User as IClaimsPrincipal;

IClaimsIdentity identity = principal.Identity as IClaimsIdentity;

gv.DataSource = identity.Claims;

gv.DataBind();

SharePoint Claims

SharePoint Claims Encoding

• <IdentityClaim> indicates the type of claim and is the following:

• “i” for an identity claim

• “c” for any other claim

• <ClaimType> indicates the format for the claim value and is the following:

• “#” for a user logon name

• “.” for an anonymous user

• “5” for an email address

• “!” for an identity provider

• “+” for a Group security identifier (SID)

• “-“ for a role

• “%” for a farm ID

• “?” for a name identifier

• "\" for a private personal identifier (PPID)

• <ClaimValueType> indicates the type of formatting for the claim value and is the following:

• “.” for a string

• “+” for an RFC 822-formatted name

• <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:

• “w” for Windows claims (no original issuer)

• “s” for the local SharePoint security token service (STS) (no original issuer)

• “t” for a trusted issuer

• “m” for a membership issuer

• “r” for a role provider issuer

• “f” for forms-based authentication

• “c” for a claim provider

• <OriginalIssuer> indicates the original issuer of the claim.

• <ClaimValueType> indicates the value of the claim in the <ClaimType> format.

• http://msdn.microsoft.com/en-us/library/gg481769.aspx#claimswalkthrough5_AppendixA

SharePoint Claims Encoding

Type of claim Encoded claim Claim encoding breakdownWindows User i:0#.w|contoso\kashif •“i” for an identity claim

•“#” for the user logon name format for the claim value•“.” for a string•“w” for Windows claims•“contoso\kashif” for the identity claim value (the Windows account name)

Windows Authenticated Users group c:0!.s|windows •“c” for a claim other than identity•“!” for an identity provider•“.” for a string•“s” for the local SharePoint STS•“windows” for the Windows Authenticated Users group

SAML authentication (Trusted User) i:05.t|adfs|kashif@contoso.com •“i” for an identity claim•“5” for the email address format for the claim value•“.” for a string•“t” for a trusted issuer•“adfs” identifies the original issuer of the identity claim•“kashif@contoso.com” for the identity claim value

Forms-based authentication i:0#.f|mymembershipprovider|kashif •“i” for an identity claim•“#”for the user logon name format for the claim value•“.” for string•“f” for forms-based authentication•“mymembershipprovider” identifies the original issuer of the identity claim•“kashif” for the user logon name

Claims Resolution and Augmentation

• Inherit a class from Microsoft.SharePoint.Administration.Claims.SPClaimsProvider

• Register using• Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiver

• Implement• FillClaimsForEntity• FillClaimTypes• FillClaimValueTypes

• Register Claims Provider• $trusted = Get-SPTrustedIdentityTokenIssuer -Identity “Kashif"• $trusted.ClaimProviderName = “KashifClaimsStore"• $trusted.Update()

ADFS Deployment

• Single server configuration

• ADFS 2.0 server farm and load-balancer

• ADFS 2.0 Proxy server(s) for offsite users

Install and Configure ADFS V2

• Install Windows Server 2008 R2

• Create service account (ssp_adfs) and set SPN

• Install ADFS server, don't configure it

• Generate SSL Certificates• Token Signing, Token Encryption, Site

• Disable AutoCertificate Rollover• Add-PsSnapin Microsoft.Adfs.Powershell• Set-ADFSProperties -AutoCertificateRollover $false

• Set Primary Certificates

• Give ADFS account permission on private key of certificates

• Add Trusted Relying Party

• Map Claims• Email-Addresses => Email Address• Token-Groups - Unqualified Names => Role• SAM-Account-Name => Windows account name• User-Principal-Name => UPN

• Test Sign On using IdpInitiatedSignOn

SharePoint Configuration for ADFS

• Export and copy public key of token signing certificate from ADFS

• Generate SSL and AAM for SharePoint web app

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\adfs\ss.cer”)

$map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming

$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName"WindowsAccountName" -SameAsIncoming

$map4 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$realm = "urn:sharepoint:www"

$signinurl = "https://sso.kashif.com/adfs/ls/"

$ap = New-SPTrustedIdentityTokenIssuer -Name "Kashif" -Description "Kashif STS" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 -SignInUrl $signinurl -IdentifierClaim $map3.InputClaimType

New-SPTrustedRootAuthority “Kashif Trusted Root Authority” -Certificate $cert

$ap.Update()

• My Sites or other web apps

$uri = new-object System.Uri("https://my.kashif.com")

$ap.ProviderRealms.Add($uri, "urn:sharepoint:my")

SharePoint Trusted Identity Token IssuerA SharePoint trusted identity token issuer binds together the details of the identity provider and the

mapping rules to associate them with a specific SharePoint web application.

Update SharePoint for new ADFS Certificates

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\adfsupdate\sss1.cer")

Set-SPTrustedRootAuthority -Identity "Kashif Trusted Root Authority P1" -Certificate $cert

Set-SPTrustedIdentityTokenIssuer "Kashif" -ImportTrustCertificate $cert

Azure Access Control Service

• Build using Claims-based identity principles• Support WIF and ADFS V2

Questions

???