SharePoint Authentication and Authorization

Slides:



Advertisements
Similar presentations
Active Directory Federation Services How does it really work?
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Gold Sponsors Bronze Sponsors Silver Sponsors Taking SharePoint to the Cloud Aaron Saikovski Readify – Software Solution Specialist.
Intro to SharePoint 2013 Architecture Liam Cleary.
Eric Raff. Usergroup up
SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since years.
SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Managing Identity and Permissions
Troubleshooting Federation, AD FS 2.0, and More…
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Claims Based Authentication
SharePoint External Login Access – Forms Authentication vs Azure ACS.
First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )
Session 11: Security with ASP.NET
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Troubleshooting Federation, AD FS 2.0, and More…
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Module 11: Securing a Microsoft ASP.NET Web Application.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Adxstudio Portals Training
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Alex Thissen | Achmea Designing and implementing a claims-based architecture Alex Thissen | Achmea Claim typeValue
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Microsoft Ignite /20/2017 9:04 PM
Alain Bethuyne Web Security Architect BNPParibas Fortis
Access Policy - Federation March 23, 2016
Identity and Access Management
Secure Connected Infrastructure
Secure Single Sign-On Across Security Domains
Stop Those Prying Eyes Getting to Your Data
Azure Active Directory - Business 2 Consumer
Analyn Policarpio Andrew Jazon Gupaal
Federation made simple
Solving the Identity Crisis
Migrating SharePoint Add-ins from Azure ACS to Azure AD
Exam in just 24 hours!!! Pass your exam in first attempt by the help of our latest braindumps
Azure AD Application Proxy
The New Virtual Organization Membership Service (VOMS)
Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0
SharePoint Online Hybrid – Configure Outbound Search
Office 365 Identity Management
Matthew Levy Azure AD B2B vs B2C Matthew Levy
SharePoint Online Authentication Patterns
Single Sign On Glen Dorton 1/18/2019.
Implementing Security in ASP.NET Core: Claims, Patterns, and Policies
07 | Introduction to Authentication
Presentation transcript:

SharePoint Authentication and Authorization Liam Cleary Solution Architect | SharePoint MVP

About Me Solution Architect @ SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2002 Worked on all kinds of projects Internet Intranet Extranet Anything SharePoint Really Involved in Architecture, Deployment, Customization and Development of SharePoint

Agenda Security in General Security with SharePoint Authentication Authorization Authentication vs. Authorization Claims Authentication / Authorization Options Available Membership & Role Providers Identity Provider Cloud Based Services Art of Authorization Things to Remember

Security in General Dictionary Definition: Freedom from danger, risk, etc.; safety. Freedom from care, anxiety, or doubt; well-founded confidence. Something that secures or makes safe; protection; defense. Freedom from financial cares or from want: The insurance policy gave the family security. Precautions taken to guard against crime, attack, sabotage, espionage

Security with SharePoint Isn't this an oxymoron? Just kidding!!

Security with SharePoint How does security come into play with SharePoint? Same questions as the previous security How, Who, When and often Why Content specific security Role based as well is individual security Collaboration security Cross Team Cross Organizational Cross Company Specific permission sets for types of access and functionality

Authentication – What is? Dictionary Definition: To establish as genuine. To establish the authorship or origin of conclusively or unquestionably, chiefly by the techniques of scholarship: to authenticate a painting. To make authoritative or valid.

Authentication – Types of? Windows NTLM Kerberos Basic Anonymous Digest Forms-based Authentication Lightweight Directory Access Protocol (LDAP) Microsoft SQL Server ASP.NET Membership and Role Providers SAML Token-based Authentication Active Directory Federated Services 3rd Party Identity Provider

Authorization – What is? Dictionary Definition: The act of authorizing. Permission or power granted by an authority; sanction. To give authority or official power to; To give authority for; formally sanction (an act or proceeding): To establish by authority or usage:

Authentication vs. Authorization Misunderstood Terminology Users, IT and Developers Authentication = Verification of Claim (I am Liam) Authorization = Verification of Permission (Liam has access to) Authentication Precedes Authorization Correct ID shown to Bank Teller You are Asking to be Authenticated on the Account Once accepted you become Authorized on the Account Exception to the rule Anonymous Access can leave comments on Blog site Anonymous users are already Authorized but not Authenticated Too often we focus on Authentication and not Authorization We expect our users, clients etc. to just inherently know what they are to do We often forget that Authentication can be broken, but Authorization is slightly more complicated

Authentication – Claims SharePoint 2010 Introduced Claims Authentication

Authentication – Claims Why introduce Claims Authentication? Wide Support Standards Based WS-Federation 1.1 WS-Trust 1.4 SAML Token 1.1 AuthN Single Sign On Federation Already many providers, Live, Google, Facebook etc Microsoft standard approach Fed up custom coding everything, every time Gets round (some) Office Integration problems Easy to configure with little effort Multiple Web Config changes, Web Application Changes and then of course the actual configuration of your identity provider

Authentication – Claim Terminology Identity Info about a Person or Object (AD, Google, Windows Live, Facebook etc.) Claim Attributes of the Identity (User ID, Email, Age etc.) Token Binary Representation of Identity Set of Claims and the Signature Relying Party (aka RP) Users Token Secure Token Service (STS) Issuer of Tokens for Users

Authentication – Sign In Process Identity Provider Security Token Service aka IP-STS SharePoint 2010 aka RP Resource Requested AuthN Request / Redirect AuthN Request Security Token Security Token Request Service Token Resource Request w/Service Token Resource Sent

Sign-In Process with Identity Provider DEMO

Authentication – Membership & Role Providers Classic .NET approach Support Local Authentication Store Support Remote Authentication Stores Web Services, Remote Database Calls No inherent Single Sign On Custom Code to Achieve this, namely cookie based Full support for base .NET Providers Membership Provider – User Accounts and Authentication Role Provider – Equivalent of Groups, Authorization Element Specific Configuration needed for each Web Application Central Administration Secure Token Service Web Application Extensive “web.config” entries needed Custom Components in SharePoint will needed Welcome Control, Login Control etc.

Authentication – Custom Identity Provider No need for Membership and Role Provider Can still be used – NOTE: Membership User Approach Single Sign Built in – Web Application needs to be set to require Authentication not Anonymous Central Managed and Entry point for all Authentication Support Local Authentication Store Support Remote Authentication Stores Web Services, Remote Database Calls Utilizes Windows Identity Framework Can use .NET 3.5 / 4.0 PowerShell configuration to implement Requires Trusted Certificate for Communication Custom Components in SharePoint will needed Welcome Control, Login Control etc.

Authentication - Azure Control Service Microsoft ADFS Type Cloud Based Service Central Point for offloading Authentication Supports SAML 1.1 / SAML 2.0 Support Facebook Google Windows Live ID Yahoo Custom IDP Integrate with Custom Identity Provider Open ID type authentication Support for 3rd Party Integration Claim Mapping through configuration

Create Identity Provider DEMO

Authentication – Identity Provider Deployment into separate Web Site https://sts.domain.com Use SSL for all communication Ensure SharePoint 2010 trusts the certificate being used by the Provider Methods of override: Authenticate User GetClaimTypeForRole GetOutputClaimsIdentity Create User Class – methods to get values from backend into claims Create Claim Types class Create custom login methods and validation

Authorization SharePoint does this after Authentication Is user member of group? Is user account added to ACL of object? Does user have required attribute? SharePoint only understands what it is told e.g. Just because user logged in at? Does not authorize Best Approach to Authorize Active Directory Groups Roles from Membership and Role Provider Claims associated to user Don’t just add users to groups or individually – can cause issues SharePoint default “DENY”

SharePoint Authorization Anonymous Web Application / Site Collection Secured Site / Site Collection / Content Authentication Content Repository Is In Site Group? Content Does user have claim attribute?

Expect the Unexpected

Security – Real World Expect the unexpected People will find a way to circumvent your security Give users minimal permission Starting with Less is good Add functionality through permission as needed Be prepared to secure at all levels Web Application Site Collection Site List or Library Item Use roles from Provider Active Directory Groups Membership and Role Provider Roles Claims

Thank You Personal Email: liamcleary@msn.com Work: http://www.susqtech.com Twitter: @helloitsliam Blog: www.helloitsliam.com