Who are you and what do you want? Authentication and Authorization – SharePoint 2010 • Big topic! This session will just scratch surface. • Define some terms along the way • Focus on SharePoint 2010 capabilities and demos; applicable to SharePoint 2013 • ASP.Net Membership / Role provider framework • Demos, focused on Membership and Role provider techniques that can be used in both SharePoint 2010 and 2013 • Authentication • Confirmation of identity • Allow access • Authorization • Post authentication • Allow access to resource(s) based on permission of identity SharePoint 2007 • Authentication mode is called “classic” • Default Active Directory authentication • Support for forms-based authentication • Support for ASP.Net web security framework and plug-in custom authentication providers • Support for multiple web application zones • One provider per web application zone • Use of multiple authentication providers require multiple zones/urls SharePoint 2010 • All 2007 functional capabilities still available • Introduces support for claims-based authentication. Built on Windows Identity Foundation • Introduction of Secure Token Service • Multiple authentication/identity providers per zone/url • Ability to create and register Trusted Identity Providers in farm to provide authentication services to multiple web applications / single-sign on • Identity • Set of attributes to describe a user such as name, e-mail, password, etc. • Identity Provider • An authority that can assert the “true” identity and its attributes • Claim • An assertion (i.e. the claim) issued by an identity provider about a specific user or other entity in a system (machine, etc.) • Contains an encrypted set of information • Identity providers can be trusted by SharePoint SharePoint - Secure Token Service • Client (i.e. web browser accessing SharePoint) sends request to STS • STS verifies identity by querying authentication provider • STS issues “claim:, i.e. encrypted security token • Client uses token to access SharePoint site SharePoint 2010 • Authentication selected during web application creation • Claims can also be enabled on existing site with PowerShell script • Forms-based authentication now handled by claims authentication SharePoint 2010 • Authentication settings now accessible through web application management ribbon • Configurable for each zone • Again, note that Windows, Forms and Identity trusts can be active for each zone SharePoint 2013 • Claims-based authentication is now default mode • Classic is still supported (PowerShell), but deprecated • Easier migration from classic to claims via use of ConvertSPWebApplication cmdlet • Login tokens cached in newly introduced Distributed Cache Service • Support for OAuth (open standard for authorization) • Server to Server authorization • Authorize apps to access SharePoint resources Authentication Providers • Store of user authentication information (i.e., user name and password; roles, etc.) • Basic steps for consuming Authentication provider (membership and roles) • Create or get a provider! • Configure web.config to “register” the provider • Web application • Central Administration site • Security Token Service site (allows the STS to query the auth provider during login process) • Configure web application provider settings in Central Administration “Built-In” .NET Provider • Start with System.Web.Security built-in SQL-based authentication provider • SqlMembershipProvider • SqlRoleProvider • Create database with aspnet_regsql.exe utility • Configure users and roles with built-in configuration UI Demo Custom Authentication Provider • Create Visual Studio project • Create 2 classes, respectively inheriting from: • System.Web.Security.MembershipProvider • System.Web.Security.RoleProvider • Override required methods to implement custom behaviors • Can add other classes as needed to integrate with member store Membership Provider Interfaces • Five required interface overrides in System.Web.Security.MembershipProvider • GetUser(System.String,System.Bool) • GetUserNameByEmail(System.String) • ValidateUser(System.String,System.String) • FindUsersByEmail(System.String,System.Int32,System.Int32,Syste m.Int32) • FindUsersByName(System.String,System.Int32,System.Int32,Syste m.Int32) Role Interfaces • Two required interface overrides for Role provider • System.Web.Security.RoleProvider • GetRolesForUser(System.String) • RoleExists(System.String) Demo Trusted Identity Provider • Identity providers issue security token (claim) upon login • Custom identity/claim providers can be implemented Implementing an Identity Provider • Option 1 – procure one already built and install/configure it in the SharePoint farm. Active Directory Federation Services is an example • Option 2 – build one! Building an Identity Provider • Visual Studio - install Windows Identity Framework SDK • SDK provides Visual Studio templates for creating IP • Create provider • Export certificate • Register provider, claims, and certificate in SharePoint to create trust relationship. • PowerShell - New-SPTrustedIdentityTokenIssuer Demo Thanks to my buddy Liam Cleary’s blog: http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=17