Download presentation
Presentation is loading. Please wait.
Published byDale Russell Green Modified over 8 years ago
1
Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect - CNRS
2
Networks ∙ Services ∙ People www.geant.org SharePoint authN & authZ principle Item STS People Picker SharePoint Custom claim provider ti* Bob needs access to a SharePoint item Alice gives Bob access with a claim Alice sets authorizations with the people picker. A custom claim provider makes the picker behave the way we want. The Secure Token Service handles authentication, claims definition and provider declaration.
3
Networks ∙ Services ∙ People www.geant.org Roles Repositories Roles Repositories Roles Repositories Roles Repositories 3 The puzzle Item STS People Picker ADFS IdP Directory Roles Repositories Roles Repositories Does that claim value exist for this claim type ? Give me all the roles For this identity SharePoint SAML attributes My Claims 1 2 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. Custom claim provider ti* * ti = Trusted Identity Token Issuer Authorise access to the selected claim type and value Claim values are only checked when using a custom claim provider. 1 2
4
Networks ∙ Services ∙ People www.geant.org 4 A view of GÉANT intranet Grouper LDAP IdP ADFS SAML attributes My Claims Sympa CoManage User is enrolled prior access SharePoint Custom claim provider ti*
5
Networks ∙ Services ∙ People www.geant.org Handles authentication Talks SAML 1.1 (WS-Federation) only Needs a Trusted Identity Token Issuer Needs a gateway to SAML 2 (ADFS) Lives inside SharePoint Security Token Service (STS)
6
Networks ∙ Services ∙ People www.geant.org Gateway for SAML2 -> SAML 1.1 Atribute ID to Claim Type mapping Realm Home Discovery (WAYF) Claims augmentation SILA script to automate federation metadata loading (IdP) the RHD Page refresh Claim type mapping Sila.codeplex.com New branch for adfs3 CNRSrhd.codeplex.com for ADFS3 UI 6 Active Directory Federation Service (ADFS)
7
Networks ∙ Services ∙ People www.geant.org Claims augmentation with attribute store LDAP Grouper CoManage SQL … 7 ADFS – Attribute store
8
Networks ∙ Services ∙ People www.geant.org Claim pipeline https://technet.microsoft.com/en-us/library/ee913585.aspx Claim Engine https://technet.microsoft.com/en-us/library/ee913582.aspx Retrieve AD group sample https://jmitnotes.wordpress.com/2014/02/09/get-ad-groups-as-claims-for-a-trusted-token-issuer 8 ADFS – Claims rule language
9
Networks ∙ Services ∙ People www.geant.org Open source project In production Still need work CNRSccp.codeplex.com Lookup in LDAP SQL Grouper (VOOT) Must be configured in the token issuer 9 Custom Claim Provider : CNRSccp
10
Networks ∙ Services ∙ People www.geant.org Projects sila.codeplex.com : federation medata loading in ADFS CNRSrhd.codeplex.com : ADFS 3 UI tweak for autocomplete IdP selector CNRSccp.codeplex.com : Custom claim provider CNRSgaas.codeplex.com : Grouper attribute store for ADFS CNRSlas.codeplex.com : Ldap attribute store for ADFS Informations @jm_thia jmITnotes.wordpress.com 10 Takeaway links
11
Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org This work is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 11 Jean-Marie.THIA@cnrs.fr
12
Networks ∙ Services ∙ People www.geant.org Thank you Networks ∙ Services ∙ People www.geant.org 12
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.