Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -

Published byDale Russell Green Modified over 8 years ago

Similar presentations

Presentation on theme: "Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -"— Presentation transcript:

1 Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect - CNRS

2 Networks ∙ Services ∙ People www.geant.org SharePoint authN & authZ principle Item STS People Picker SharePoint Custom claim provider ti* Bob needs access to a SharePoint item Alice gives Bob access with a claim Alice sets authorizations with the people picker. A custom claim provider makes the picker behave the way we want. The Secure Token Service handles authentication, claims definition and provider declaration.

3 Networks ∙ Services ∙ People www.geant.org Roles Repositories Roles Repositories Roles Repositories Roles Repositories 3 The puzzle Item STS People Picker ADFS IdP Directory Roles Repositories Roles Repositories Does that claim value exist for this claim type ? Give me all the roles For this identity SharePoint SAML attributes My Claims 1 2 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. Custom claim provider ti* * ti = Trusted Identity Token Issuer Authorise access to the selected claim type and value Claim values are only checked when using a custom claim provider. 1 2

4 Networks ∙ Services ∙ People www.geant.org 4 A view of GÉANT intranet Grouper LDAP IdP ADFS SAML attributes My Claims Sympa CoManage User is enrolled prior access SharePoint Custom claim provider ti*

5 Networks ∙ Services ∙ People www.geant.org Handles authentication Talks SAML 1.1 (WS-Federation) only Needs a Trusted Identity Token Issuer Needs a gateway to SAML 2 (ADFS) Lives inside SharePoint Security Token Service (STS)

6 Networks ∙ Services ∙ People www.geant.org Gateway for SAML2 -> SAML 1.1 Atribute ID to Claim Type mapping Realm Home Discovery (WAYF) Claims augmentation SILA script to automate federation metadata loading (IdP) the RHD Page refresh Claim type mapping Sila.codeplex.com New branch for adfs3 CNRSrhd.codeplex.com for ADFS3 UI 6 Active Directory Federation Service (ADFS)

7 Networks ∙ Services ∙ People www.geant.org Claims augmentation with attribute store LDAP Grouper CoManage SQL … 7 ADFS – Attribute store

8 Networks ∙ Services ∙ People www.geant.org Claim pipeline https://technet.microsoft.com/en-us/library/ee913585.aspx Claim Engine https://technet.microsoft.com/en-us/library/ee913582.aspx Retrieve AD group sample https://jmitnotes.wordpress.com/2014/02/09/get-ad-groups-as-claims-for-a-trusted-token-issuer 8 ADFS – Claims rule language

9 Networks ∙ Services ∙ People www.geant.org Open source project In production Still need work CNRSccp.codeplex.com Lookup in LDAP SQL Grouper (VOOT) Must be configured in the token issuer 9 Custom Claim Provider : CNRSccp

10 Networks ∙ Services ∙ People www.geant.org Projects sila.codeplex.com : federation medata loading in ADFS CNRSrhd.codeplex.com : ADFS 3 UI tweak for autocomplete IdP selector CNRSccp.codeplex.com : Custom claim provider CNRSgaas.codeplex.com : Grouper attribute store for ADFS CNRSlas.codeplex.com : Ldap attribute store for ADFS Informations @jm_thia jmITnotes.wordpress.com 10 Takeaway links

11 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org This work is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 11 Jean-Marie.THIA@cnrs.fr

12 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org 12

Download ppt "Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -"

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
TF-EMC2 | Lyon - France | February 2011 SAML WORK WITH SHAREPOINT, OWA, … Jean Marie THIA.

TF-EMC2 | Lyon - France | February 2011 SAML WORK WITH SHAREPOINT, OWA, … Jean Marie THIA.
Implementing and Administering AD FS

Implementing and Administering AD FS
Eric Raff. Usergroup up

Eric Raff. Usergroup up
SAML 2.0 og ”Geneva” OIOSAML Workshop 31. marts 2009 Århus René Løhde, Microsoft

SAML 2.0 og ”Geneva” OIOSAML Workshop 31. marts 2009 Århus René Løhde, Microsoft
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Identity & Access Control in the Cloud Sachin Vinod Rathi Architect Advisor, Microsoft Corporation Niraj Bhatt Enterprise Architect, Windows Azure MVP.

Identity & Access Control in the Cloud Sachin Vinod Rathi Architect Advisor, Microsoft Corporation Niraj Bhatt Enterprise Architect, Windows Azure MVP.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Managing Identity and Permissions

Managing Identity and Permissions
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Claims Based Authentication

Claims Based Authentication
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

Similar presentations

Ads by Google