Tech Ed North America 2010 11/21/2018 1:22 AM Required Slide SESSION CODE: OSP306 Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication Paul Schaeflein, MCT Manager of Advanced Technologies LaSalle Consulting Partners, Inc. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Claims-Based Identity Claims-Based Authorization Claims Provider Anonymous Access Trusted Identity Providers

Claims-Based Identity

Claims-Based Identity primer Introduction What is Identity? A set of attributes to describe a user. What is a Claim? Information such as name, e-mail, age, group membership, etc.

Claims-Based Identity primer Introduction What is Authentication (AuthN)? The process of verifying a user’s identity. What is Authorization (AuthZ)? Determines which sites, content, and other features the user can access.

Claims-Based Identity primer User Identity is a set of claims Why do we say “claim” and not “attribute?” Facebook & the Dept. of State have the age attribute Facebook can claim 29 yrs, while State claims 46 yrs. In order to make authorization decisions with age, your app needs to decide which “claim” you will trust. Trust depends on scenario not on technical capability

Claims is more than Federation Federation between organizations was the original driver Over time, claims turned out to be useful for more than just Federation Real Benefit: Cleanly factoring out the Identity Provider from the application is invaluable SharePoint is Identity Provider neutral Multi-auth web applications

Identity Normalization Anonymous User NT Token Windows Identity SAML Token LiveID, ADFS, Others ASP.Net (FBA) SAL, LDAP, Custom … SAML Token Claims Based Identity SPUser

Multi-auth Web Applications

Claims-Based Identity Claims Viewer Web Part Multi-Auth web application DEMO

Claims Viewer Web Part

Claims Viewer Web Part IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; GridView1.DataSource = claimsIdentity.Claims;

Claims-Based Authorization

Claims-Based Authorization Available to securable objects thru People-Picker Access Claims via IClaimsIdentity interface Claims property contains all claims Conditionally Display information based on presence of claim based on value of claim

People Picker

Claims-Based Authorization Select claim in People Picker Conditional information display DEMO

Conditional Information Display

Conditional Information Display IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal; IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity; string pmClaim = (from c in claimsIdentity.Claims where c.ClaimType == CLAIM_TYPE select c.Value).FirstOrDefault(); bool authorized = bool.Parse(pmClaim);

Custom Claims Provider

Custom SharePoint Claims Provider Two roles Claims Augmentation Claims Picker !! Not authentication !! (Use WIF classes for AuthN) Usage Scenarios List, Resolve and Search AllUsers claim Adding Claims to original token (claims augmentation) Identity not from original token (map to internal identity)

Claims Provider Claims Augmentation Enables an application to augment additional claims into the user’s token Implemented as a Claims Provider class FillClaimsForEntity called by framework Microsoft.SharePoint.Administration.Claims.SPClaimProvider Register in Feature Event Receiver Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver MSDN Article by Steve Peschka: http://msdn.microsoft.com/en-us/library/ff699494.aspx

Claims Provider Claims Picker Provides Listing, Resolve, Search and Friendly display of claims in the People Picker Implemented as a Claims Provider class FillHierarchy, FillResolve, FillSearch called by framework Microsoft.SharePoint.Administration.Claims.SPClaimProvider Register in Feature Event Receiver Microsoft.SharePoint.Administration.Claims.SPClaimProviderFeatureReceiver Claim Type and Values must match!

Custom Claims Provider Augment claims based on database values Resolve Claims in People Picker DEMO

FillClaimForEntity() method Parameters Context (URI) Current user (userid claim) Empty list to contain new claims Called once per session Token is passed as cookie once issued

CreateClaim() Parameters claimType Type: String The type of claim. Examples of claim types include first name, role and email address. The claim type provides context for the claim value, and it is usually expressed as a Uniform Resource Identifier (URI). For example, the e-mail address claim type is represented as http://schemas.microsoft.com/ws/2008/06/identity/claims/email. value Type: String The value of the claim. For example, if the claim type is role, a value might be contributor, and if the claim type is first name, a value might be Matt.  valueType Type: String The type of value in the claim. These are all URIs that refer to a string.

ClaimValueTypes (selected) Base64Binary http://www.w3.org/2001/XMLSchema#base64Binary Boolean http://www.w3.org/2001/XMLSchema#boolean Date http://www.w3.org/2001/XMLSchema#date Datetime http://www.w3.org/2001/XMLSchema#dateTime DaytimeDuration http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration String http://www.w3.org/2001/XMLSchema#string

Anonymous Access

Claims in Anonymous scenario No Claims!

Establishing Anonymous Access Web Application Manage web application Authentication Providers Edit Zone Allow Anonymous $wa = get-spwebapplication http://cba.sharepointdevelopers.net $zone = [Microsoft.SharePoint.Administration.SPUrlZone]::Custom $i = $wa.IisSettings[$zone] $i.AllowAnonymous = $true $wa.Update() $wa.ProvisionGlobally()

Establishing Anonymous Access Site (SPWeb) Site Actions -> Site Permission Anonymous Access Nothing [AnonymousState.Disabled] Entire site [AnonymousState.On] Lists and Libraries [AnonymousState.Enabled] $w = Get-SPWeb http://www.sharepointdevelopers.net/blogs $w.AnonymousState = [Microsoft.SharePoint.SPWeb+AnonymousState]::On $w.Update()

Establishing Anonymous Access List List Settings Anonymous Access $w = get-spweb http://www.sharepointdevelopers.net/blogs/paul $l = $w.Lists["Comments"] $l.AnonymousPermMask64 = {BasePermissions as appropriate}

Trusted Identity Providers

Trusted Identity Providers Active Directory Federation Services (ADFS) Previously known as “Geneva server” Windows Live ID Open ID

ADFS 2.0 Separate Download Identity across organizational boundaries http://www.microsoft.com/adfs2 Identity across organizational boundaries Attribute stores Active Directory Others

Windows Live ID Extract X509 Cert from metadata Set Return URL to _trust/default.aspx Watch TechNet for further information

Open ID Must be “Translated” into SAML Claims Many OpenID Providers WIF code Pioneering work Matias Woloski http://blogs.southworks.net/mwoloski/2009/07/14/openid-ws-fed-protocol-transition-sts/ Travis Nielsen https://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=34 Many OpenID Providers http://openid.net/get-an-openid/

Trusted Identity Providers Demo

Track Resources For More Information – http://sharepoint.microsoft.com Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Tech Ed North America 2010 11/21/2018 1:22 AM Track Resources For More Information – http://sharepoint.microsoft.com SharePoint Developer Center – http://msdn.microsoft.com/sharepoint SharePoint Tech Center – http://technet.microsoft.com/sharepoint Official SharePoint Team Blog – http://blogs.msdn.com/sharepoint © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 11/21/2018 1:22 AM Related Content Breakout Sessions – See Conference Guide for full list of OSP Track Sessions Interactive Sessions – OSP Track has 10 Interactive Sessions – OSP01-INT – OSP10-INT Hands-on Labs – OSP01-HOL – OSP20-HOL Product Demo Stations – Yellow Section, OSP Office 2010, SharePoint 2010, Project Server 2010, Visio 2010 have kiosks and demos © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resources Learning Required Slide www.microsoft.com/teched Tech Ed North America 2010 11/21/2018 1:22 AM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 11/21/2018 1:22 AM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration   You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

Play the Microsoft Office & SharePoint Track Tag Contest Tech·Ed  North America 2009 11/21/2018 1:22 AM Play the Microsoft Office & SharePoint Track Tag Contest Download the Microsoft Tag Reader Open the internet browser on your mobile phone and visit http://gettag.mobi Grand Prize (1) Xbox 360 Prize Package and Microsoft® Office 2010 Daily Prizes 40 copies of Microsoft® Office 2010 Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags from all OSP Track Sessions, Speakers and Expo Hall! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tech Ed North America 2010 11/21/2018 1:22 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Required Slide Tech Ed North America 2010 11/21/2018 1:22 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.