SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Slides:



Advertisements
Similar presentations
Active Directory Federation Services How does it really work?
Advertisements

SearchSearch User Profiles SearchSearchExcelExcelUserProfilesUserProfiles Managed Metadata.
 Jan Alexander Program Manager Microsoft Corporation BB43.
Key Point: Federation relationships are based on trust.
Kevin Donovan Program Manager, Office BI Microsoft Corporation
Implementing and Administering AD FS
Physical Topology Logical Topology Authentication Licensing.
PCT401 – Security for the SharePoint Developer Eugene Rosenfeld Black Blade Associates
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Managing Identity and Permissions
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
SharePoint Server 2013 Architecture and Identity
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Troubleshooting Federation, AD FS 2.0, and More…
Fraser Technical Solutions, LLC
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
SharePoint Design Tools Office Applications.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Claims Based Authentication
A Close Look Inside the SharePoint Engine Randy Williams, MVP MOSS Synergy Corporate Technologies
SharePoint External Login Access – Forms Authentication vs Azure ACS.
First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Module 8 Configuring and Securing SharePoint Services and Service Applications.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Overview Scale out architecture Servers, services, and topology in Central Administration.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Module 4 : Installation Jong S. Bok
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Forms Based Auth Windows SAML Claim TypeValue NameidentifierContoso\gbadea PrimarysidS UserlogonnameContoso\gbadea.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Impersonation in SharePoint Developers use impersonation when an application needs to.
Asia Pacific SharePoint Conference 2007 May 15th to 16th, 2007 Hilton Hotel Sydney.
Using Claims based authentication with SharePoint
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
Web Services Security Patterns Alex Mackman CM Group Ltd
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Claims-based security with Windows Identity Foundation.
Alex Thissen | Achmea Designing and implementing a claims-based architecture Alex Thissen | Achmea Claim typeValue
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Authentication methods SharePoint Web Application Windows integrated Membership & Role Providers Web SSO Access control Roles protected Anonymous.
Networks ∙ Services ∙ People Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -
SharePoint Authentication and Authorization
Identity and Access Management
Deep Dive into SharePoint 2010 Security
Stop Those Prying Eyes Getting to Your Data
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Cross-Org Collaboration using SharePoint 2010 & AD FS 2.0
SharePoint Online Hybrid – Configure Outbound Search
SharePoint Online Authentication Patterns
AD FS Installation Active Directory Federation Services (AD FS) 7.1
Everything you need to know about implementing AD FS
Presentation transcript:

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities

Authentication and Identity Authentication creates identity for security principal Identities stored in user accounts repository Authentication performed using credentials Authentication produces some form of badge Authorization and Access Control Subsystem used to define security policy Privileged users configure ACLs on objects Subsystem enforces policy at run time

SharePoint relies on external components Windows Authentication via Windows Server and IIS FBA via ASP.NET and authentication provider Web SSO via Active Directory Federation Services (ADFS) SharePoint creates profile for external identity Tracked per site collection in User Profile List Seen by developers as SPUser object

WSS V2 has issues with AppPool Identity WSS V3 introduced SHAREPOINT\system Hides IIS Application Pool Identity from users Runs as God within WSS authorization system Removes need to treat Application Pool Identity as site user

Web Server It’s important to understand the difference Pages, Lists & Documents SharePoint content AdventureWorks Database SQL Server XML File local file system Web Application Worker Process Authorized using Windows Identity Authorized using SharePoint Identity

Code typically runs under identity of user Authorization works as expected in SharePoint Sometime code must do things current user cannot do Custom code elevate privilege Advantage: elevated code can do anything Disadvantage: elevated code can do anything

Accessing sites with WSS object is tricky Must create new SPSite object after elevating

Each site collection is a hierarchy Each object may have its own ACL Object without ACL relies on parent Top-level site is top-level object in hierarchy

SPUser represents external security principal SPGroup is internal SharePoint group Rights Role Definition AuthZ SP Group SP User Role Assignment 1N N N N 1 N N N N SP User Resource

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities

SharePoint 2010 radically changes authentication WSS moves to claim-based security model SharePoint 12 style now considered legacy mode Why? It decouples WSS from authentication provider Supports multiple authentication providers for one URL Identity can be passed without Kerberos delegation It enables federation between organizations ACLs configured with DLs, Audiences and Orgs PeoplePicker controls understands claims

Identity: security principal used to configure security policy Claim: attribute of an identity (Login Name, AD Group, etc) Issuer: trusted party that creates claims Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML) Issuing Authority: issues security tokens knowing claims desired by target application Security Token Service (STS): builds, signs and issues security tokens Relying Party: application that makes authorization decisions based on claims

Active Client - Smart Client App Passive Client - Browser

Two important scenarios Incoming claims Outgoing claims How do incoming claims work? Identity token created by external identity STS SharePoint STS creates claim-based identity SharePoint STS based on Claims Provider Incoming claim identity is mapped to SPUser Authorization of SPUser just like it is in SharePoint 2007

What identity is used for code on WFE? By default, code has claims-based identity Legacy mode can be used for Windows identity What are the scenarios? WFE code calls to application services WFE code calls to external LOB systems WFE code calls to external SharePoint farms

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities

Rights Role Definition AuthZ SP Group SP User Role Assignment 1N N N N 1 N N N N SP User Resource Principals Assign Windows User FBA User Live ID Contoso User (Federated user) AD Security Group DL Audiences Org App claims Roles Claims

Same as in SharePoint 2007 Write code that creates groups Write code that assigns permissions New to SharePoint 2010 Create a custom claims-provider Create an identity transformation service with Geneva Server

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.