Who are you and what do you want?

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 7 months ago)

68 views

Who are you and what do
you want?

Authentication and Authorization


SharePoint 2010


Big topic! This session will just scratch surface.


Define some terms along the way


Focus on SharePoint 2010 capabilities and demos; applicable to
SharePoint 2013


ASP.Net

Membership /
Role provider
framework


Demos, focused on Membership and Role provider techniques
that can be used in both SharePoint
2010
and
2013



Authentication


Confirmation of identity


Allow access


Authorization


Post authentication


Allow access to resource(s) based on permission of identity


SharePoint 2007


Authentication mode is called “classic”


Default
Active Directory
authentication


Support for forms
-
based
authentication


Support
for
ASP.Net

web security framework and plug
-
in
custom authentication
providers


Support for multiple web application zones


One provider per web application zone


Use of multiple
authentication providers
require multiple zones/
urls


SharePoint 2010


All 2007 functional capabilities still available


Introduces support for claims
-
based authentication. Built on
Windows Identity Foundation


Introduction of Secure Token Service


Multiple authentication/identity providers per zone/
url


Ability to create and register Trusted Identity Providers in farm
to provide authentication services to multiple web applications /
single
-
sign on



Identity


Set of attributes to describe a user such as name, e
-
mail, password, etc
.


Identity
Provider


An authority that
can assert the
“true” identity and its attributes


Claim


An assertion (i.e. the claim) issued by an identity provider about a
specific user or other entity in a system (machine, etc.)


Contains an encrypted set of information


Identity providers can be trusted by SharePoint

SharePoint
-

Secure Token Service


Client (i.e. web browser accessing
SharePoint) sends request to STS


STS verifies identity by querying
authentication provider


STS issues “claim:, i.e. encrypted
security token


Client uses token to access SharePoint
site

SharePoint 2010


Authentication
selected during web
application creation


Claims can also be
enabled on existing
site with PowerShell
script


Forms
-
based
authentication now
handled by claims
authentication



SharePoint 2010


Authentication settings
now accessible through
web application
management ribbon


Configurable for each
zone


Again, note that Windows,
Forms and Identity trusts
can be active for each
zone

SharePoint 2013


Claims
-
based authentication is now default mode


Classic is still supported (PowerShell), but deprecated


Easier migration from classic to claims via use of Convert
-
SPWebApplication

cmdlet


Login tokens cached in newly introduced Distributed Cache
Service


Support for
OAuth

(open standard for authorization)


Server to Server authorization


Authorize apps to access SharePoint resources


Authentication Providers


Store of user authentication information (i.e., user name and
password; roles, etc.)


Basic
steps for consuming Authentication provider (membership
and roles)


Create or get a provider!


Configure
web.config

to “register” the provider


Web application


Central Administration site


Security Token Service
site (allows the STS to query the
auth

provider during login
process)


Configure web application
provider settings
in Central Administration


“Built
-
In” .NET Provider



Start
with
System.Web.Security

built
-
in SQL
-
based
authentication provider


SqlMembershipProvider


SqlRoleProvider


Create database with aspnet_regsql.exe utility


Configure users and roles with built
-
in configuration UI


Demo

Custom Authentication Provider



Create
Visual Studio project


Create 2 classes, respectively inheriting from:


System.Web.Security.MembershipProvider


System.Web.Security.RoleProvider


Override required methods to implement custom
behaviors


Can add other classes as needed to integrate with member store


Membership Provider Interfaces


Five required interface
overrides in
System.Web.Security.MembershipProvider


GetUser
(
System.String,System.Bool
)


GetUserNameByEmail
(
System.String
)


ValidateUser
(
System.String,System.String
)


FindUsersByEmail
(System.String,System.Int32,System.Int32,Syste
m.Int32)


FindUsersByName
(System.String,System.Int32,System.Int32,Syste
m.Int32)


Role Interfaces



Two
required interface overrides for Role provider


System.Web.Security.RoleProvider


GetRolesForUser
(
System.String
)


RoleExists
(
System.String
)


Demo

Trusted Identity Provider





Identity providers issue security token (claim) upon login


Custom identity/claim providers can be implemented

Implementing an Identity Provider




Option 1


procure one already built and install/configure it in
the SharePoint farm. Active Directory Federation Services is an
example


Option 2


build one!


Building an Identity Provider



Visual Studio
-

install Windows Identity Framework SDK


SDK provides Visual Studio templates for creating IP


Create provider


Export certificate


Register provider, claims, and certificate in SharePoint to create
trust relationship.


PowerShell
-

New
-
SPTrustedIdentityTokenIssuer

Demo

Thanks to my buddy Liam Cleary’s blog:

http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=17