Download presentation
Presentation is loading. Please wait.
2
Security Design with Claims- Based Authentication Israel Vega, Nathan Miller OSP431
6
Identity and access control is messy Security is complicated S P A CL I MS
7
SharePoint Federation Gateway Augmentation OUT Mapped Claims ClaimType = Value
9
Key Point: Federation relationships are based on trust
10
Trusted Identity Token Issuer Claims Provider Claims Mappings $map1 = New-SPClaimTypeMapping -IncomingClaimType "http://.../upn" -IncomingClaimTypeDisplayName "UPN" - SameAsIncoming $map2 = New-SPClaimTypeMapping -IncomingClaimType "http://.../nameidentifier" -IncomingClaimTypeDisplayName “NameId" –MappedClaimType “http://.../username” … $spTIp = New-SPTrustedIdentityTokenIssuer -Name “NAME" -Description “DESC" -Realm “REALM” -ClaimsMappings $map1 …" Login
11
Claims ProviderTrusted Identity Token Issuer Claims Mappings Login Claims Search Claims Resolve Claims Augmentation
12
SP Identity People Picker Trusted Identity Token Issuer Claim Providers Encoded Claim Encoded Claims Custom CCP OOTB Active Directory SharePoint (*) Incoming Mapped Claims
13
Associating a CCP to a Zone $webAppUrl = "" $webAppZone= "" $claimProviderName = "" write-host "Getting the web application urls to configure" $altUrls = Get-SPAlternateURL write-host "Getting the claim provider" $claimProvider = Get-SPClaimProvider -Identity $claimProviderName foreach($altUrl in $altUrls) { if ($altUrl.Zone -eq $webAppZone) { $wa = Get-SPWebApplication $altUrl.PublicUrl write-host "Registering claim provider [$claimProviderName] for ["$webAppUrl"] on the zone ["$webAppZone"]" $waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone) $waIISSettings.ClaimsProviders.Add($claimProvider) $wa.Update() }
![Associating a CCP to a Zone $webAppUrl = $webAppZone= $claimProviderName = write-host Getting the web application urls to configure $altUrls = Get-SPAlternateURL write-host Getting the claim provider $claimProvider = Get-SPClaimProvider -Identity $claimProviderName foreach($altUrl in $altUrls) { if ($altUrl.Zone -eq $webAppZone) { $wa = Get-SPWebApplication $altUrl.PublicUrl write-host Registering claim provider [$claimProviderName] for [ $webAppUrl ] on the zone [ $webAppZone ] $waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone) $waIISSettings.ClaimsProviders.Add($claimProvider) $wa.Update() }](http://images.slideplayer.com/26/8378264/slides/slide_13.jpg "Associating a CCP to a Zone $webAppUrl = $webAppZone= $claimProviderName = write-host Getting the web application urls to configure $altUrls = Get-SPAlternateURL write-host Getting the claim provider $claimProvider = Get-SPClaimProvider -Identity $claimProviderName foreach($altUrl in $altUrls) { if ($altUrl.Zone -eq $webAppZone) { $wa = Get-SPWebApplication $altUrl.PublicUrl write-host Registering claim provider [$claimProviderName] for [ $webAppUrl ] on the zone [ $webAppZone ] $waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone) $waIISSettings.ClaimsProviders.Add($claimProvider) $wa.Update() }")
14
Claim Encodings DisplayNameMappedClaimTypeEncoded String Authentication methodhttp://.../authenticationmethod c:0 ǹ.t|testadfs|authentication method E-Mail Addresshttp://schemas.xmlsoap.org/.../emailaddress c:0 5.t|testadfs|e-mail address Primary SIDhttp://schemas.microsoft.com.../primarysid c:0 ).t|testadfs|primary sid Windows account namehttp://.../windowsaccountname c:0 ǻ.t|testadfs|windows account name ASCII Decimal Code 504ASCII Decimal Code 507Reserved Claim Type
15
'!'=SPClaimTypes.IdentityProvider'0'=ClaimTypes.AuthorizationDecision'['=ClaimTypes.PostalCode '"'=SPClaimTypes.UserIdentifier'1'=ClaimTypes.Country'\\'=ClaimTypes.PPID '#'=SPClaimTypes.UserLogonName'2'=ClaimTypes.DateOfBirth']'=ClaimTypes.Rsa '$'=SPClaimTypes.DistributionListClaimType'3'=ClaimTypes.DenyOnlySid'^'=ClaimTypes.Sid '%'=SPClaimTypes.FarmId'4'=ClaimTypes.Dns'_'=ClaimTypes.Spn '&'= "http://schemas.microsoft.com/sharepoint/2009/0 8/claims/processidentitysid"'5'=ClaimTypes.Email'`'=ClaimTypes.StateOrProvince '\''= "http://schemas.microsoft.com/sharepoint/2009/0 8/claims/processidentitylogonname"'6'=ClaimTypes.Gender'a'=ClaimTypes.StreetAddress '('=SPClaimTypes.IsAuthenticated'7'=ClaimTypes.GivenName'b'=ClaimTypes.Surname ')'= "http://schemas.microsoft.com/ws/2008/06/identit y/claims/primarysid"'8'=ClaimTypes.Hash'c'=ClaimTypes.System '*'= "http://schemas.microsoft.com/ws/2008/06/identit y/claims/primarygroupsid"'9'=ClaimTypes.HomePhone'd'=ClaimTypes.Thumbprint '+'= "http://schemas.microsoft.com/ws/2008/06/identit y/claims/groupsid"'<'=ClaimTypes.Locality'e'=ClaimTypes.Upn '-'= "http://schemas.microsoft.com/ws/2008/06/identit y/claims/role"'='=ClaimTypes.MobilePhone'f'=ClaimTypes.Uri '.'=ClaimTypes.Anonymous'>'=ClaimTypes.Name'g'=ClaimTypes.Webpage '/'=ClaimTypes.Authentication'?'=ClaimTypes.NameIdentifier'h'=SPClaimTypes.ProviderUserKey '@'=ClaimTypes.OtherPhone
![! =SPClaimTypes.IdentityProvider 0 =ClaimTypes.AuthorizationDecision [ =ClaimTypes.PostalCode =SPClaimTypes.UserIdentifier 1 =ClaimTypes.Country \\ =ClaimTypes.PPID # =SPClaimTypes.UserLogonName 2 =ClaimTypes.DateOfBirth ] =ClaimTypes.Rsa $ =SPClaimTypes.DistributionListClaimType 3 =ClaimTypes.DenyOnlySid ^ =ClaimTypes.Sid % =SPClaimTypes.FarmId 4 =ClaimTypes.Dns _ =ClaimTypes.Spn & = 8/claims/processidentitysid 5 =ClaimTypes. ` =ClaimTypes.StateOrProvince \ = 8/claims/processidentitylogonname 6 =ClaimTypes.Gender a =ClaimTypes.StreetAddress ( =SPClaimTypes.IsAuthenticated 7 =ClaimTypes.GivenName b =ClaimTypes.Surname ) = y/claims/primarysid 8 =ClaimTypes.Hash c =ClaimTypes.System * = y/claims/primarygroupsid 9 =ClaimTypes.HomePhone d =ClaimTypes.Thumbprint + = y/claims/groupsid < =ClaimTypes.Locality e =ClaimTypes.Upn - = y/claims/role = =ClaimTypes.MobilePhone f =ClaimTypes.Uri . =ClaimTypes.Anonymous > =ClaimTypes.Name g =ClaimTypes.Webpage / =ClaimTypes.Authentication =ClaimTypes.NameIdentifier h =ClaimTypes.OtherPhone](http://images.slideplayer.com/26/8378264/slides/slide_15.jpg "! =SPClaimTypes.IdentityProvider 0 =ClaimTypes.AuthorizationDecision [ =ClaimTypes.PostalCode =SPClaimTypes.UserIdentifier 1 =ClaimTypes.Country \\ =ClaimTypes.PPID # =SPClaimTypes.UserLogonName 2 =ClaimTypes.DateOfBirth ] =ClaimTypes.Rsa $ =SPClaimTypes.DistributionListClaimType 3 =ClaimTypes.DenyOnlySid ^ =ClaimTypes.Sid % =SPClaimTypes.FarmId 4 =ClaimTypes.Dns _ =ClaimTypes.Spn & = 8/claims/processidentitysid 5 =ClaimTypes. ` =ClaimTypes.StateOrProvince \ = 8/claims/processidentitylogonname 6 =ClaimTypes.Gender a =ClaimTypes.StreetAddress ( =SPClaimTypes.IsAuthenticated 7 =ClaimTypes.GivenName b =ClaimTypes.Surname ) = y/claims/primarysid 8 =ClaimTypes.Hash c =ClaimTypes.System * = y/claims/primarygroupsid 9 =ClaimTypes.HomePhone d =ClaimTypes.Thumbprint + = y/claims/groupsid < =ClaimTypes.Locality e =ClaimTypes.Upn - = y/claims/role = =ClaimTypes.MobilePhone f =ClaimTypes.Uri . =ClaimTypes.Anonymous > =ClaimTypes.Name g =ClaimTypes.Webpage / =ClaimTypes.Authentication =ClaimTypes.NameIdentifier h =ClaimTypes.OtherPhone")
16
Trusted Provider CCP Search CCP Resolve CCP Augmentation
17
Internal AD External AD Secure Store ADFS Trusted Provider Claim Provider SharePoint Secret Data Super Secret Data People Picker
18
Demo Nephophobia (cloud fear, cloud phobia, fear of clouds, phobia of clouds) ADFS/AD Claim Provider
19
From/ToClassicWindows ClaimsFBASAML Claims Classic Windows Claims FBA SAML Claims = Requires IMigrateUserCallBack Today’s talk
20
Code Snippets The penguin is the only bird who can swim, but cannot fly Claims Migration Scenarios
21
Migrating from Classic to Windows Claims $webAppUrl = "http://yourWebAppUrl" $adminAccount = “DOMAIN\ADMIN" #Get the Web application $webApp = get-SPWebApplication $ webAppUrl Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default #Re-Get the Web application $webApp = get-SPWebApplication $webAppUrl $adminClaim = New-SPClaimsPrincipal -identity $account -identitytype 1 $adminClaimString = $adminClaim.ToEncodedString() #Add the admin account to the web application policy $zp = $ webApp.ZonePolicies("Default") $p = $zp.Add($adminClaimString,“Admin Policy") $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") $p.PolicyRoleBindings.Add($fc) $wa.Update() #Re-Get the Web application $webApp = get-SPWebApplication $webAppUrl #Migrate the web application $wa.MigrateUsers($true) Create an admin claim for myself Let me in after the migration Do the migration
22
Migrated Content DB Classic Web App Permanent Web App Classic Content DB 1) Copy DB 4) Copy Migrated DB 2) Mount to “DUMMY” Web App 3) Migrate with IMigrateUserCallback Temporary Web App Classic Content DB 5) Mount to “REAL” Web App
23
Migrating from Classic to SAML Claims …See other slide - OMMITTED #Migrate the web application #Pass the Fully qualified Assembly reference $wa.MigrateUsers(IMigrateUsersCallBackAssembly) Do the migration but pass the assembly reference
24
Migrating User Accounts Using IMigrateUserCallBack Using … using Microsoft.SharePoint.Administration.Claims; public class SAMLMigrationCallback : IMigrateUserCallback { public string ConvertFromOldUser(string previousUserAccount, SPWebApplication.AuthenticationMethod previousAuthType, bool isGroup) { string newUserId = previousUserAccount; SPClaim migratedUserClaim = null; switch (previousAuthType) { case SPWebApplication.AuthenticationMethod.Windows: { migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup); break; } case SPWebApplication.AuthenticationMethod.Claims: { migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup); break; } case SPWebApplication.AuthenticationMethod.Forms: { //code for converting from Forms would be here break; } if (migratedUserClaim != null) { newUserId = migratedUserClaim.ToEncodedString(); } return newUserId ; } SPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup) { SPClaim migratedClaim = null; return migratedClaim; } SPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup) { SPClaim migratedClaim = null; //migrating from Windows claims to SAML claims return migratedClaim; }
25
Migrating From Classic to SAML Claims SPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup) { SPClaim migratedClaim = null; SecurityIdentifier curSid = new SecurityIdentifier(previousUserAccount); //Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330 if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) || curSid.IsWellKnown(WellKnownSidType.LocalSystemSid)) { return migratedClaim; } else { if (isGroup) { string oldNtId = translateSidToName(previousUserAccount); if (oldNtId != null) { //Migrate Groups migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount); } else { migratedClaim = generateUserIdClaimFromNtId(oldNtId); } return migratedClaim; } DO NOT MIGRATE NT AUTHORITY\Authenticated Users or LOCAL SYSTEM DO NOT MIGRATE NT AUTHORITY\Authenticated Users or LOCAL SYSTEM Group SIDS vs Names ??
26
Migrating From Windows Claims to SAML SPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup) { SPClaim migratedClaim = null; //Migrating from Windows claims to SAML claims - create a claim from the identifier so we can see if the original issuer came from Windows SPClaim idClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim); //this is a Windows claims user, and we are going to convert to a SAML claims user ID format if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer)) { //windows claims users will be in the format domain\user windows claims groups will be in the SID format if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName)) { migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim); } else if (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid)) { //Group SID or Group Name??? migratedClaim = generateSAMLGroupClaim(idClaim.Value, SourceAccountType.WindowsClaim); } return migratedClaim; } SPClaim generateSAMLClaimFromNtId(string winClaimId) { SPClaim migratedClaim = null; //Create the proper SAML ID Claim for the old windows claim user return migratedClaim; } SPClaim generateSAMLGroupClaim(string groupClaim, bool isGroup) { SPClaim migratedClaim = null; //Create the proper SAML ID Group claim for the old windows claim group return migratedClaim; }
29
Setting the Portal Super * Accounts $PortalSuperReader = “domain\portalsuperreader" $PortalSuperUser = “domain\portalsuperuser“ $wa = Get-SPWebApplication –Identity “ >“ $PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityType WindowsSamAccountName $PortalSuperUserClaim.ToEncodedString() $wa.Properties["portalsuperuseraccount"] = $PortalSuperUserClaim.ToEncodedString() $PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityType WindowsSamAccountName $PortalSuperReaderClaim.ToEncodedString() $wa.Properties["portalsuperreaderaccount"] = $PortalSuperReaderClaim.ToEncodedString() #Set the web application policies $SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), "PortalSuperReader") $SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullRead")) $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), "PortalSuperUser") $SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullControl")) #Update the web app $wa.Update() #IISReset iisreset
![Setting the Portal Super * Accounts $PortalSuperReader = domain\portalsuperreader $PortalSuperUser = domain\portalsuperuser $wa = Get-SPWebApplication –Identity > $PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityType WindowsSamAccountName $PortalSuperUserClaim.ToEncodedString() $wa.Properties[ portalsuperuseraccount ] = $PortalSuperUserClaim.ToEncodedString() $PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityType WindowsSamAccountName $PortalSuperReaderClaim.ToEncodedString() $wa.Properties[ portalsuperreaderaccount ] = $PortalSuperReaderClaim.ToEncodedString() #Set the web application policies $SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), PortalSuperReader ) $SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole( FullRead )) $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), PortalSuperUser ) $SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole( FullControl )) #Update the web app $wa.Update() #IISReset iisreset](http://images.slideplayer.com/26/8378264/slides/slide_29.jpg "Setting the Portal Super * Accounts $PortalSuperReader = domain\portalsuperreader $PortalSuperUser = domain\portalsuperuser $wa = Get-SPWebApplication –Identity > $PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityType WindowsSamAccountName $PortalSuperUserClaim.ToEncodedString() $wa.Properties[ portalsuperuseraccount ] = $PortalSuperUserClaim.ToEncodedString() $PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityType WindowsSamAccountName $PortalSuperReaderClaim.ToEncodedString() $wa.Properties[ portalsuperreaderaccount ] = $PortalSuperReaderClaim.ToEncodedString() #Set the web application policies $SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), PortalSuperReader ) $SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole( FullRead )) $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), PortalSuperUser ) $SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole( FullControl )) #Update the web app $wa.Update() #IISReset iisreset")
30
Fun with Claims Reindeers like to eat bananas The value of Claims Based AuthN and AuthZ
31
Trusted Provider CCP Search CCP Resolve CCP Augmentation
33
It is possible to lead a cow upstairs but not upstairs Profile Claim Provider
34
Trusted Provider CCP Search CCP Resolve CCP Augmentation
35
Sharing Token Claim
37
Demo The sentence "The quick brown fox jumps over a lazy dog." uses every letter of the alphabet! TempShare Claim Provider
38
* http://blogs.technet.com/b/speschka/archive/2011/03/29/how-to-get-all-user-claims-at-claims-augmentation-time-in- sharepoint-2010.aspx
41
AZR78-HOL | Introduction to Access Control Service SIA01-TLC | Microsoft Identity and Access Find us later at: SharePoint TLC Booth Ask the Experts
42
http://blogs.msdn.com/entdev - Demo code http://blogs.technet.com/b/speschka/ - SharePoint CBA Resources
43
Connect. Share. Discuss. http://europe.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn
44
Evaluations http://europe.msteched.com/sessions Submit your evals online
Similar presentations
