Authentication methods SharePoint Web Application Windows integrated Membership & Role Providers Web SSO Access control Roles protected Anonymous access Windows Identity SharePoint Service Applications Content Database Trusted sub-systems Client WIFWIFWIFWIF Claims protected WIF – SPSTS Claims-awareClaims-aware SP-STS Windows Identity Services Application Framework WindowsWindows ASP.Net (FBA) Claims Based Identity SAML Web SSO

“Externalizing Authentication” “Externalizing Authentication” Authentication methods SharePoint Web Application “Identity normalization” “Identity normalization” Access control “Support existing identity infrastructure” “Support existing identity infrastructure” Search Services Application Content Database Client Services Application Framework SP-STS WIFWIFWIFWIF WIF – SPSTS IClaimsPrincipal IPrincipal

“Identity normalization” “Externalizing Authentication” Authentication methods SharePoint Web Application Access control “Support existing identity infrastructure” Search Services Application Content Database Client Services Application Framework SP-STS WIFWIFWIFWIF WIF – SPSTS IClaimsPrincipal IPrincipal “Externalizing Authentication” SharePoint Web Application SP-STS WIF – SPSTS

NT Token Windows Identity ASP.Net (FBA) SQL, LDAP, Custom … SAML Token Claims Based Identity SAML Token Claims Based Identity SPUser NT Token Windows Identity SAML1.1+ ADFS, etc.

SharePoint-STSSharePoint-STS trust SharePoint Web Application Frank Miller 1. Attempt access Fabrikam Enterprise Farm-A Windows claims 2. Redirect to STS for auth 3. Post Token {SP-Token} 2.2 Augment claims 3.1 Extract Claims and construct IClaimsPrincipal 2.1 Authenticate user

Session Authentication Module Browser Client IIS ASP.NET Cookie 2

demo

“Identity normalization” “Externalizing Authentication” Authentication methods SharePoint Web Application Access control “Support existing identity infrastructure” Search Services Application Content Database Client Services Application Framework SP-STS WIFWIFWIFWIF WIF – SPSTS IClaimsPrincipal IPrincipal “Identity normalization” SharePoint Web Application Access control Search Services Application WIFWIF

WCF (Windows Communication Foundation) WIF (Windows Identity Foundation).NET SharePoint Services Application Framework (Claims/Services) WSTrust Support

SharePoint-STSSharePoint-STS Web Part Search Services Application WS-Trust Proxy Client WS-Trust Endpoints Gate Keeper trust 5 6 Fabrikam Enterprise Farm-A Web App to Service T1 {User}T2 {User, Process} T2

FARM-B SharePoint-STSSharePoint-STS Web Part Search Services Application WS-Trust Proxy Client WS-Trust Endpoints Gate Keeper trust 5 6 Fabrikam Enterprise Farm-A to Farm-B Web App to Service SharePoint-STSSharePoint-STS WS-Trust Endpoints trust

demo

“Identity normalization” “Externalizing Authentication” Authentication methods SharePoint Web Application Access control “Support existing identity infrastructure” Search Services Application Content Database Client Services Application Framework SP-STS WIFWIFWIFWIF WIF – SPSTS IClaimsPrincipal IPrincipal “Support existing identity infrastructure” SharePoint Services Application Content Database WIFWIF IPrincipal

demo

“Externalizing Authentication” “Externalizing Authentication” Authentication methods SharePoint Web Application “Identity normalization” “Identity normalization” Access control “Support existing identity infrastructure” “Support existing identity infrastructure” Search Services Application Content Database Client Services Application Framework SP-STS WIFWIFWIFWIF WIF – SPSTS IClaimsPrincipal IPrincipal

Migrating to claims-based model – where to start It is not “ALL or Nothing” deal Claims-enable in phases: authentication, authorization, services

> Performance > Performance Milestone drove changes in WIF > Optimizations made to achieve the perf goal: > Number of claims > Number of service calls per page > Number of round trips to SP-STS per service request > Caching (ChannelFactory and tokens)

> Edge cases & assumptions > Cookie size limitation > Existing code had many assumptions about identity, each had to be uncovered and mapped > Clients integration > Consider client types to be supported > SP 2010 had Browser, Active, Designer tool clients > Both passive and active end points implemented on SharePoint STS

Built by Developers for Developers….

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.