SharePoint Authentication and AuthorizationLiam Cleary
About Me
• Solution Architect @ Protiviti• 7 Time SharePoint MVP• Cover Everything-SharePoint• Development• Branding• Design• Architecture• Security
• Dream about SharePoint, well sometimes
Agenda
Authentication
Authorization Claims Remember
Authentication versus Authorization• Authentication = Verification of Claim (I am Liam)• Authorization = Verification of Permission (Liam has access
to)• Authentication Precedes Authorization• Correct ID shown to Bank Teller• You are Asking to be Authenticated on the Account• Once accepted you become Authorized on the Account
• Exception to the rule• Anonymous Access can leave comments on Blog site• Anonymous users are already Authorized but not Authenticated
• Too often we focus on Authentication and not Authorization• Authentication can and does get be broken
Authentication
Authorization
Claims Terminology• Identity• Info about a Person or Object (AD, Google, Windows Live, Facebook etc.)
• Claim• Attributes of the Identity (User ID, Email, Age etc.)
• Token• Binary Representation of Identity• Set of Claims and the Signature
• Relying Party (aka RP)• Users Token
• Secure Token Service (STS)• Issuer of Tokens for Users
Claims Identity
Issuer
Claims
Claims Augmentation• What is Claims Augmentation?• Ability to intercept the incoming claims and transform to
different outgoing claims• Add additional attributes before output is generated
• Why would you need to Augment returned claims?• E.g. Retrieve user attributes from line of business application
• Types of Augmentation• Federation Gateway: Claim Mapping Transformation (Incoming
> Outgoing)• SharePoint: Claim Mapping Transformation (Incoming >
Outgoing)• Custom: Append Claim Attributes
Claims
Terminologies - Claims
i = Identity Claim, # = User Login Name, . = Type of String, w = Windows, s = STS Issued, c = Non Identity Claim, ! = Identity Provider, + = Group SID, 5 = E-mail, % = Farm ID, f = Forms Authentication, 0 = reserved for future• Windows Account - i:0#.w|domain\user
• Identity Claim – such as AUTHORITY\Authenticated Users - c:0!.s|windows
• Windows Security Group - c:0+.w|s-1-5-23-….
• Federated Authentication User - i:05.t|azure|[email protected]
• Federation Authentication Role - c:0-.t|azure|facebook
• Local Farm Claim – SharePoint/Local Farm - c:0%.c|system|7874330e-f23b…
• Forms Authentication - i:0#.f|membershipprovider|user
Claims
Authentication – Active Directory
• Classic Authorization approach• Active Directory Users and Groups• Users Added to AD groups, AD Groups added to SharePoint
Site Groups• Single Sign On• Only if all Web Applications set to the same Authentication• Sites added to intranet zone with “auto” login enabled
• People Picker works as “name resolution” control• Specific Configuration – None Needed• Custom Components in SharePoint – Not needed
Authentication
Authentication Process – Active Directory
Authentication
1. Request Web Page (Anonymous)2. Request Windows Credentials3. Send Windows Credentials4. Validate Windows Credentials5. Obtain Group Membership List6. Create Security Token and
Authorization Token7. Send Web Page to Client with
Authorization Token
Authentication – Membership and Role Providers
• Classic .NET approach• Support Local Authentication Store• Support Remote Authentication Stores• Web Services, Remote Database Calls
• No inherent Single Sign On - Custom Code to Achieve this, namely cookie based
• Full support for base .NET Providers• Membership Provider – User Accounts and Authentication• Role Provider – Equivalent of Groups, Authorization Element• Specific Configuration needed - Central Administration,
Secure Token Service, Web Application• Custom Components in SharePoint will needed -
Welcome Control, Login Control etc.
Authentication
Authentication Process – Membership & Role Provider
Authentication
1. Request Web Page (Anonymous)2. Send SharePoint Forms Based Login Page3. Send Credentials4. Validate Credentials with User Store5. Obtain Role Membership List6. Create Security Token and Authorization Token
/ Cookie7. Send Web Page to Client with Authorization
Token / Cookie
Authentication – Custom Identity Provider
• No need for Membership and Role Provider• Single Sign Built in – Web Application needs to be set to require
Authentication • Central Managed and Entry point for all Authentication• Support Local Authentication Store• Support Remote Authentication Stores• Web Services, Remote Database Calls
• Utilizes Windows Identity Framework - Can use .NET 3.5 / 4.0• PowerShell configuration to implement• Requires Trusted Certificate for Communication• Custom Components in SharePoint will needed - Welcome
Control, Login Control etc.• SAML 1.1 and WS-F RP Protocols
Authentication
Authentication – Active Directory Federated Services
• Active Directory Connected
• Single Sign Built in – Web Application needs to be set to require Authentication
• Central Managed and Entry point for all Authentication• Support for Single or Multiple Active Directory Forests – using Trusts
• Support for other attribute stores via injected compiled code
• Pre, Post and Authentication Authorization can be performed on claim attributes
• PowerShell configuration to implement
• Requires Trusted Certificate for Communication
• SAML 1.1 and WS-F RP Protocols
• Multi-Factor Authentication Support
Authentication
Authentication Process – Identity Provider
Authentication
1. Request Web Page (Anonymous)2. Obtain Login Page from Provider3. Request SAML Security Token4. Validate Credentials with Identity Provider5. Send a SAML Security Token6. Create SharePoint Security Token and Send Page Trust
Authentication Process – Active Directory Federated Services
Authentication
1. Request Web Page (Anonymous)2. Obtain Login Page from Provider3. Request SAML Security Token4. Validate Credentials with Federated Services5. Optional: Present Multi-Factor Authentication6. Optional: Validate Multi-Factor Authentication7. Send a SAML Security Token8. Create SharePoint Security Token and Send
Page
Trust
Authentication – Azure Access Control Service
• Microsoft ADFS Type Cloud Based Service• Central Point for offloading Authentication• Supports SAML 1.1 / SAML 2.0• Support• Facebook• Google• Windows Live ID• Yahoo• Custom IDP• Integrate with Custom Identity Provider
• Open ID type authentication• Support for 3rd Party Integration• Claim Mapping through configuration• Support for Multi-Factor Authentication
Authentication
Authentication - Azure Access Control Service
Authentication
1. Request Web Page (Anonymous)2. Send to Azure ACS Provider Picker3. Redirect to Provider Login Page4. Send Credentials to Provider5. User Authenticated, Redirect to Azure ACS6. Request SAML Security Token Wrapped from
Provider7. Validate Credentials with STS8. Send a SAML Security Token9. Create SharePoint Security Token and Send Page Trust
Authentication - Azure Access Control Service+ MFA
Authentication
1. Request Web Page (Anonymous)2. Send to Azure ACS Provider Picker3. Redirect to Provider Login Page4. Send Credentials to Provider5. User Authenticated, Redirect to Azure ACS6. Request SAML Security Token Wrapped from
Provider7. Validate Credentials with STS8. Request MFA Validation9. Validate MFA Details10. Send a SAML Security Token11. Create SharePoint Security Token and Send Page
Trust
Remember
• SharePoint does this after Authentication• Is user member of group?• Is user account added to ACL of object?• Does user have required attribute?
• SharePoint only understands what it is told• e.g. Just because user logged in at? Does not authorize
• Best Approach to Authorize• Active Directory Groups• Roles from Membership and Role Provider• Claims associated to user
• Don’t just add users to groups or individually – can cause issues
• SharePoint default “DENY”
Remember
Remember
• Federation is the future• Standards based• More companies require scalable authentication• No-one wants to store accounts and passwords anymore• Microsoft future for authentication
• Best Approach for Authorization• String Comparison instead of actual Authentication• Secure token based• Attributes become claims for the authorization• No longer adding permissions by user authentication
• The Cloud “Requires” Federation• Utilize Multi-Factor Authentication
Remember
Remember
• How• Staff, Vendors, Partners, Anonymous Users or the kid next door• Take time to select an Authentication Mechanism• Do you need Single Sign On?• Single or Multiple Factor Authentication?
• Who• Internal, External, Partners and Public
• When• Business Hours• Restrictive Login Hours
• Why• Public View• Collaboration – Extranet or Intranet• Partner Access• Paid Subscription to Content
Remember
Contact & Thank You
Blog http://blog.helloitsliam.com
Twitter@helloitsliam
Email [email protected]
Contact