Who are you and what do
you want?
Authentication and Authorization – SharePoint 2010
• Big topic! This session will just scratch surface.
• Define some terms along the way
• Focus on SharePoint 2010 capabilities and demos; applicable to
SharePoint 2013
• ASP.Net Membership / Role provider framework
• Demos, focused on Membership and Role provider techniques
that can be used in both SharePoint 2010 and 2013
• Authentication
• Confirmation of identity
• Allow access
• Authorization
• Post authentication
• Allow access to resource(s) based on permission of identity
SharePoint 2007
• Authentication mode is called “classic”
• Default Active Directory authentication
• Support for forms-based authentication
• Support for ASP.Net web security framework and plug-in
custom authentication providers
• Support for multiple web application zones
• One provider per web application zone
• Use of multiple authentication providers require multiple zones/urls
SharePoint 2010
• All 2007 functional capabilities still available
• Introduces support for claims-based authentication. Built on
Windows Identity Foundation
• Introduction of Secure Token Service
• Multiple authentication/identity providers per zone/url
• Ability to create and register Trusted Identity Providers in farm
to provide authentication services to multiple web applications /
single-sign on
• Identity
• Set of attributes to describe a user such as name, e-mail, password, etc.
• Identity Provider
• An authority that can assert the “true” identity and its attributes
• Claim
• An assertion (i.e. the claim) issued by an identity provider about a
specific user or other entity in a system (machine, etc.)
• Contains an encrypted set of information
• Identity providers can be trusted by SharePoint
SharePoint - Secure Token Service
• Client (i.e. web browser accessing
SharePoint) sends request to STS
• STS verifies identity by querying
authentication provider
• STS issues “claim:, i.e. encrypted
security token
• Client uses token to access SharePoint
site
SharePoint 2010
• Authentication
selected during web
application creation
• Claims can also be
enabled on existing
site with PowerShell
script
• Forms-based
authentication now
handled by claims
authentication
SharePoint 2010
• Authentication settings
now accessible through
web application
management ribbon
• Configurable for each
zone
• Again, note that Windows,
Forms and Identity trusts
can be active for each
zone
SharePoint 2013
• Claims-based authentication is now default mode
• Classic is still supported (PowerShell), but deprecated
• Easier migration from classic to claims via use of ConvertSPWebApplication cmdlet
• Login tokens cached in newly introduced Distributed Cache
Service
• Support for OAuth (open standard for authorization)
• Server to Server authorization
• Authorize apps to access SharePoint resources
Authentication Providers
• Store of user authentication information (i.e., user name and
password; roles, etc.)
• Basic steps for consuming Authentication provider (membership
and roles)
• Create or get a provider!
• Configure web.config to “register” the provider
• Web application
• Central Administration site
• Security Token Service site (allows the STS to query the auth provider during login
process)
• Configure web application provider settings in Central Administration
“Built-In” .NET Provider
• Start with System.Web.Security built-in SQL-based
authentication provider
• SqlMembershipProvider
• SqlRoleProvider
• Create database with aspnet_regsql.exe utility
• Configure users and roles with built-in configuration UI
Demo
Custom Authentication Provider
• Create Visual Studio project
• Create 2 classes, respectively inheriting from:
• System.Web.Security.MembershipProvider
• System.Web.Security.RoleProvider
• Override required methods to implement custom behaviors
• Can add other classes as needed to integrate with member store
Membership Provider Interfaces
• Five required interface overrides in
System.Web.Security.MembershipProvider
• GetUser(System.String,System.Bool)
• GetUserNameByEmail(System.String)
• ValidateUser(System.String,System.String)
• FindUsersByEmail(System.String,System.Int32,System.Int32,Syste
m.Int32)
• FindUsersByName(System.String,System.Int32,System.Int32,Syste
m.Int32)
Role Interfaces
• Two required interface overrides for Role provider
• System.Web.Security.RoleProvider
• GetRolesForUser(System.String)
• RoleExists(System.String)
Demo
Trusted Identity Provider
• Identity providers issue security token (claim) upon login
• Custom identity/claim providers can be implemented
Implementing an Identity Provider
• Option 1 – procure one already built and install/configure it in
the SharePoint farm. Active Directory Federation Services is an
example
• Option 2 – build one!
Building an Identity Provider
• Visual Studio - install Windows Identity Framework SDK
• SDK provides Visual Studio templates for creating IP
• Create provider
• Export certificate
• Register provider, claims, and certificate in SharePoint to create
trust relationship.
• PowerShell - New-SPTrustedIdentityTokenIssuer
Demo
Thanks to my buddy Liam Cleary’s blog:
http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=17