How Claims is Changing the Way We Authenticate and Authorize in SharePoint

April 4, 2018 | Author: Anonymous | Category: Software
Share
Report this link


Description

1. Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP How Claims is Changing the Way We Authenticate and Authorize in SharePoint Email: [email protected] Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2 2. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. About Protiviti INDIA (3) Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. • 2,500+ professionals • 1,000+ clients • 70+ offices • Over 20 countries in the Americas, Europe and Asia-Pacific Protiviti is one of the fastest growing consulting firms worldwide. Our revenues have increased from US $15 million in 2002, to US $423.8 million in 2011. 3. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • Introduction to the Concept of Claims – Types of Claims Retrieved – How do I know which ones? • Authentication vs Authorization – Claims Based Authentication – Using Claims for Authorization – Permissions – People Picker • Architecture and Trusted Identity Providers – Enabling Claims Based Authorization with Trusted Identity Providers – Customizing Claims Authentication Process – Augmenting Claims with Custom Claim Providers • Common Customer Needs and Scenarios Agenda 4. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • User attributes • Metadata about a user • AD attributes/LDAP attributes What is a Claim? What’s Missing? 5. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Trust! 6. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What is a Claim? Claims are trusted assertions I make about myself – Identity attributes retrieved from a trusted identity provider – Digitally signed so that I can verify the identity provider – Packaged and signed in a standards-based way (ex. SAML) (SAML = Security Assertion Markup Language) Allow me to take my identity across network boundaries in a trusted and secure way! 7. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • Name Antonio Maio • Email [email protected] • Company, Department Protiviti, SharePoint Practice • Security Clearance Secret (Canada) • Military Rank • Employment Status FTE • Over 18 Years Old Yes • Valid Driver’s License Yes • Country of Birth Canada • Citizenship Canadian, Italian • Residence Dallas, Texas, USA Consider, why do you trust them? Claims About Me 8. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Authentication The process of determining that someone is who they say they are • Typically done today through username/password SharePoint 2013 – Claims Based Authentication is the default Auth’n method • New Web Applications are Claims Enabled • Classic Mode authentication has been deprecated - Only thru PowerShell How do Claims all us to go beyond classic authentication?  Single Sign-On across systems in different domains  Federate between SharePoint On Premise and O365  Verify additional info about a user during the authentication process  Required for new SharePoint 2013 features like Server-server Auth, App Authentication 9. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Configuring Claims Based Authentication • Central Admin > Manage Web Applications > New Web Application • By default claims enabled • SSL is required for most scenarios • Trusted identity providers • Server to Server Authentication • App Authentication • Select your Authentication Protocol • Windows Auth: NTLM or Kerberos • Forms Based • Trusted Identity Provider (SAML) or some combination… 10. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Configuring Claims Based Authentication PowerShell • Ensure you have the correct permissions (securityadmin and dbowner on DB, part of administrators group on server) • Sample: $ap = New-SPAuthenticationProvider New-SPWebApplication -Name "Contoso Internet Site" -Port 443 -HostHeader sharepoint.contoso.com - URL "https://www.contoso.com" -ApplicationPool "ContosoAppPool" -ApplicationPoolAccount (Get- SPManagedAccount "DOMAINjdoe") -AuthenticationProvider $ap -SecureSocketsLayer New-SPWebApplication -Name -ApplicationPool -ApplicationPoolAccount -URL -Port -AuthenticationProvider $ap Where: is the name of the new web application that uses claims-based authentication. is the name of the application pool. is the user account that this application pool will run as. is the public URL for this web application. is the port on which the web application will be created in IIS. 11. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Types of Claims Retrieved • Standard Claims – Only claims retrieved when using NTLM/Kerberos – Only claims supported through Office 365/SharePoint Online • Custom Claims – Trusted Identity Provider required: ADFS, Ping Federate, Thinktecture, etc. Name identifier Primary SID Primary Group SID UPN User Logon Name User ID Name Identity Provider Name Issuer Is Authenticated Farm ID Role Group SID 12. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. How do I know which claims were retrieved? • Use the SharePoint Claims Web Part developed by Steve Peschka Download and Configuration instructions available here: http://www.trustsharepoint.com/2013/04/how-do-i-know-which-claims-were.html 13. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Authorization Determining what resources users are permitted to access and what actions they’re permitted to perform • Typically through permissions in SharePoint • How do claims allow us to go beyond simple Permissions?  Be specific to the user  Be done without knowing who the user is  Be dynamic – ex. changes in a user’s security clearance are reflected  Include environmental attributes (current time, GEO location, connection type, etc.)  Be an alternative to security groups – Groups do not scale  Example: user must be part of GroupA and GroupB and GroupC to access a resources 14. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Simple Permission Examples Users and Groups • Finance AD Group has Full Control on Library A • ProjectXContractor SP Group has Read access on site B • Antonio.Maio AD user has Contribute access on Document C Principle (user or group) Permission Level (collection of permissions) Information Object (item or container) 15. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Permission Examples: Claims • Remember: Claims are trusted attributes about a user • May assign a Claim as part of a permission to an object or container (just like a user or group) • ‘SecurityClearance=Secret’ has Full Control access on Document X • ‘ITARCleared=True’ has Read access on Library Y • ‘EmploymentStatus=FTE’ has Contribute access on Site Z Principle (a claim in this case) Permission Level (collection of permissions) Information Object (item or container) 16. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. People Picker 1. Type the value of the claim in the Find field (Top Secret in our example) Note: people picker cannot resolve values. Typos will appear here as if they are valid values. It will display multiple valid selections for your value, one for each claim type available. 2. Next, you select the attribute type in the All Search Results list on the left side – in our case we select Clearance. 3. The list on the right side will then reduce the view to one selection for the attribute type selected. Select that attribute type in the right list now. 4. Click the Add button, and then click OK 17. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. People Picker and Assigning Permission • Once the claim is selected it can be assigned as a permission with a permission level to some securable object 18. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Enabling Claims Based Authorization  Planning Required  Driven by a need to secure information at more granular level  Standard Claims Typically are Not Sufficient  Determining policies, claims, getting stakeholders to agree, etc.  Which trusted identity provider? Which attribute store?  Infrastructure Required  Storing, managing, retrieving, transforming, trusting claims  Configuration Required  Deploying Identity Provider, Connecting it to SharePoint, Configuring Trust, Sign-in, Claims Rules 19. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Enabling Claims Based Authorization  High Level Steps 1. Create the SharePoint 2013 Web Application 2. Install and Configure an STS Server (Secure Token Server) • Ex. Deploy ADFS, Domain Joined Server (possibly a farm) 3. Configure STS with the SharePoint web application as a Relying Party • Configuration within ADFS 4. Configure SharePoint 2013 to trust STS as an Identity Provider • Import ADFS Token Signing Certificate into IIS on SharePoint • Use PowerShell to configure ADFS as Trusted Provider 5. Configure SharePoint Web Application to use Claims Based Authentication and STS as the Trusted Identity Provider • Within Central Admin 20. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Relying Party (RP) Trusted Identity Provider (IP) SharePoint 2013 Client System Ex. web browser Secure Token Server (STS) EX. Active Directory Federation Services (ADFS) Identity Store, Attribute Store, (AD, Database or Directory) 3. Authenticate User, Get info (claims) about user Token with Claims Format: SAML/WS-Fed 4. Authenticated user, attributes retrieved & STS creates token 1. Sign In Page 5. User is authenticated and SharePoint 2010 now has user’s claims & knows it can trust them Claims Based Auth’n/Auth’r Architecture 2. Requests authentication (thru username/password) and a token Browser Redirect 21. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Relying Party (RP) Trusted Identity Provider (IP) SharePoint 2013 Client System Ex. web browser Secure Token Server (STS) EX. Active Directory Federation Services (ADFS) Identity Store, Attribute Store, (AD, Database or Directory) 3. Authenticate User, Get info (claims) about user Token with Claims Format: SAML/WS-Fed 4. Authenticated user, attributes retrieved & STS creates token 1. Sign In Page 5. User is authenticated and SharePoint 2010 now has user’s claims & knows it can trust them Customizing Claims Authentication Process 2. Requests authentication (thru username/password) and a token Browser Redirect Custom Claim Provider Custom Claim Provider … Claim Rule Claim Rule … SQL DB, LDAP, PKI etc… iAttributeStore … 22. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • Select a Standards-based Identity Provider (SAML) – Active Directory Federation Services 2.0 or later • Supports full SAML 1.1 and 2.0 Tokens and Protocol • Supports WS-Federation Tokens and Protocol • SharePoint 2010/2013 use SAML 1.1 tokens and SAML 2.0 protocol • Must authenticate against Active Directory – Ping Federate (Commercial) – Thinktecture (Open Source) Trusted Identity Providers Trusted Identity Provider (IP) Secure Token Server (STS) EX. Active Directory Federation Services (ADFS) Identity Store, Attribute Store, (AD, Database or Directory) 3. Authenticate User, Get info (claims) about user Token with Claims Format: SAML/WS-Fed 4. Authenticated user, attributes retrieved & STS creates token 23. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Augmenting Claims - Custom Claim Providers • Used to Augment User Claims and Customize People Picker • SharePoint farm level feature • Can deploy more than one • Called after user is authenticated …and after Trusted Identity Provider has already returned claims – Built on top of WIF (Windows Identity Framework) – Used to augment claims or transform claims – Used to customize the People Picker (ex. resolving claims through user search) 24. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Custom Claim Provider Deployment • Deployed as a Farm Level Feature Receiver – requires more code – Must inherit from SPClaimProviderFeatureReceiver (lots of examples) • Can deploy multiple claim providers – Called in order of deployment • Once deployed - Available in every web app, in very zone – Can cause performance issues – When user logs in, all Custom Claim Providers deployed get called • Set IsUsedByDefault property in Feature Receiver Def'n to False • Turn it on manually for required web apps 25. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Common Customer Needs • How do I secure access to sensitive information just to certain people and only under certain conditions? – (More) Fine Grained Access Control – Sensitive content sitting beside non-sensitive content • I have compliance requirements about who can access certain types of data and when – How do I enforce that without stopping business? 26. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. What Types of Claims are Useful? • Military, Intelligence, Government Defense – Security Clearance, Caveats, Communities of Interest – Need to Know • Commercial – Department, Team or Role – Current Date/Time, Current Device (BYOD) – Group Membership with multiple groups – Partner ID or Business ID (in partner extranet scenarios) • Aerospace/Defense Contracting – Nationality + Current Location • Homeland Security – Agency (law enforcement, emergency response, public health…) – Scope or Level (local, state, federal), Current Threat Level 27. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Intelligence Military Examples Classification Caveats Need to Know Security Clearance Caveats Groups Has All Has All Has Minimum Classification Topics Restrictions Communities Security Clearance Topics Restrictions Communities Has Minimum Has Any Not Have Any Has All 28. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Commercial Example • Claim: Employee Status • Document Metadata: Classification (HBI, MBI, LBI) If employee.status = FTE and document.classification = HBI Then permit access to document If employee.status = Contract and document.classification = HBI Then deny access to document 29. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Government Example • Claim: Client Case Numbers • Document Metadata: Document Case Number If document.case=X AND client.casenumbers includes X Then permit access to document If document.case=X AND client.casenumbers DOES NOT includes X Then deny access to document 30. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Summary • Claims Based Authentication/Authorization still a new topic for many people – Allows us to take our identities across network boundaries in a trusted and secure – Enabling our move to the cloud – required for Identity Federation • Claims Based Authentication is Default in SharePoint 2013 – Classic Mode is Deprecated (Still there in 2013 but will likely go away next version) • Claims are great tool for Enterprise-Grade Authentication and Authorization – Infrastructure and Planning Required to take advantage of it – Leading SharePoint deployments in businesses, government and military to more fine grained authorization 31. © 2014 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. • 7th Annual Conference • 6 SharePoint MVPs presenting • Full-Day Training Workshops pre and post conference • Separate tracks for Business Users, Technical Users & UX Professionals • Government, Association, Nonprofit & Group Discounts Available Get 15% off! Use: PRO15 when registering Learn More & Register at SharePointConference.org Dallas, TX October 20, 2014 32. Antonio Maio Protiviti, Senior SharePoint Architect & Senior Manager Microsoft SharePoint Server MVP Thank You! Email: [email protected] Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2


Comments

Copyright © 2024 UPDOCS Inc.