Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -

Similar presentations


Presentation on theme: "Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -"— Presentation transcript:

1 Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect - CNRS

2 Networks ∙ Services ∙ People www.geant.org SharePoint authN & authZ principle Item STS People Picker SharePoint Custom claim provider ti* Bob needs access to a SharePoint item Alice gives Bob access with a claim Alice sets authorizations with the people picker. A custom claim provider makes the picker behave the way we want. The Secure Token Service handles authentication, claims definition and provider declaration.

3 Networks ∙ Services ∙ People www.geant.org Roles Repositories Roles Repositories Roles Repositories Roles Repositories 3 The puzzle Item STS People Picker ADFS IdP Directory Roles Repositories Roles Repositories Does that claim value exist for this claim type ? Give me all the roles For this identity SharePoint SAML attributes My Claims 1 2 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. Custom claim provider ti* * ti = Trusted Identity Token Issuer Authorise access to the selected claim type and value Claim values are only checked when using a custom claim provider. 1 2

4 Networks ∙ Services ∙ People www.geant.org 4 A view of GÉANT intranet Grouper LDAP IdP ADFS SAML attributes My Claims Sympa CoManage User is enrolled prior access SharePoint Custom claim provider ti*

5 Networks ∙ Services ∙ People www.geant.org Handles authentication Talks SAML 1.1 (WS-Federation) only Needs a Trusted Identity Token Issuer Needs a gateway to SAML 2 (ADFS) Lives inside SharePoint Security Token Service (STS)

6 Networks ∙ Services ∙ People www.geant.org Gateway for SAML2 -> SAML 1.1 Atribute ID to Claim Type mapping Realm Home Discovery (WAYF) Claims augmentation SILA script to automate federation metadata loading (IdP) the RHD Page refresh Claim type mapping Sila.codeplex.com New branch for adfs3 CNRSrhd.codeplex.com for ADFS3 UI 6 Active Directory Federation Service (ADFS)

7 Networks ∙ Services ∙ People www.geant.org Claims augmentation with attribute store LDAP Grouper CoManage SQL … 7 ADFS – Attribute store

8 Networks ∙ Services ∙ People www.geant.org Claim pipeline https://technet.microsoft.com/en-us/library/ee913585.aspx Claim Engine https://technet.microsoft.com/en-us/library/ee913582.aspx Retrieve AD group sample https://jmitnotes.wordpress.com/2014/02/09/get-ad-groups-as-claims-for-a-trusted-token-issuer 8 ADFS – Claims rule language

9 Networks ∙ Services ∙ People www.geant.org Open source project In production Still need work CNRSccp.codeplex.com Lookup in LDAP SQL Grouper (VOOT) Must be configured in the token issuer 9 Custom Claim Provider : CNRSccp

10 Networks ∙ Services ∙ People www.geant.org Projects sila.codeplex.com : federation medata loading in ADFS CNRSrhd.codeplex.com : ADFS 3 UI tweak for autocomplete IdP selector CNRSccp.codeplex.com : Custom claim provider CNRSgaas.codeplex.com : Grouper attribute store for ADFS CNRSlas.codeplex.com : Ldap attribute store for ADFS Informations @jm_thia jmITnotes.wordpress.com 10 Takeaway links

11 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org This work is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 11 Jean-Marie.THIA@cnrs.fr

12 Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org 12


Download ppt "Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -"

Similar presentations


Ads by Google