1 / 21

OFS308 Deploying Microsoft SharePoint Server 2010 with Claims Authentication

OFS308 Deploying Microsoft SharePoint Server 2010 with Claims Authentication. Wouter van Vugt SharePoint Fellow. Objectives. Learn how to configure a SharePoint site to use SAML claims and federated authentication Learn how to use ADFS v2 as the identity provider. Agenda.

lecea
Download Presentation

OFS308 Deploying Microsoft SharePoint Server 2010 with Claims Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OFS308Deploying Microsoft SharePoint Server 2010 with Claims Authentication Wouter van Vugt SharePoint Fellow

  2. Objectives • Learn how to configure a SharePoint site to use SAML claims and federated authentication • Learn how to use ADFS v2 as the identity provider

  3. Agenda • Setting up claims authentication end-to-end • Understanding SharePoint limits • Troubleshooting your claims • Integrating with Windows Live ID

  4. Terminology • Issuer • Security Token Service (STS) • Identity Provider (IP) • Application • Relying Party(RP) • Service Provider (SP) • User • Subject • Principal • Browser • Passive Client

  5. Windows and Forms authentication • Based in ASP.NET • Only allows either Windows, or Forms • Expand Web Application to a new zone • https://external.partner.contoso.com (external) • http://partners (internal) • Different coding model • WindowsIdentity.GetCurrent() • FormsAuthentication.RedirectFromLoginPage • Difficult to configure Forms authentication in SharePoint • Configure Central Admin plus Web Application • Need password reminder, recovery, change, etc...

  6. Signing in with Windows Authentication Wouter van Vugt SharePoint Fellow demo

  7. Claims Authentication • Configured on a per Web Application level • Use PowerShell to add new Issuers • Map issuer claims to application claims • Map the identity claim • Trust the issuer’s certificate • Windows Authentication and Forms are default Issuers

  8. Components of a claims enabled web site External Issuer SharePoint Issuer Page

  9. Signing in with Claims Authentication Wouter van Vugt SharePoint Fellow demo

  10. Configuring new Issuers in SharePoint • New-SPTrustedRootAuthority • New-SPTrustedIdentityTokenIssuer • Use SelfSTS as a quick and dirty issuer

  11. Configuring Issuers Wouter van Vugt SharePoint Fellow demo

  12. Configuring ADFS • Create new Relying Party Trust • ADFS v2.0 Profile • Ensure to use the _trust endpoint • Set the realm to a sensible value: urn:my:value

  13. Configuring ADFS Wouter van Vugt SharePoint Fellow demo

  14. Limits with Token Signing Certs • A token signing cert can only be used with ONE trusted identity token issuer • ADFS only supports ONE primary token signing certificate • In ADFS, the realm is how ADFS determines where it should redirect after authentication • The trick is to use multiple realms with the trusted identity token issuer • The Url associated with the realm is how SharePoint knows what realm to send at auth time

  15. Limits with Claim Mappings • Claim mappings are currently immutable • If you decide you want to capture additional claims, you can’t change the claims collection the SPTrustedIdentityTokenIssuer uses • Only choice for now is to delete and recreate the token issuer

  16. Limits with People Picker • Resolve everything • Resolve per mapped claim • No guarantees on correctness of data

  17. Troubleshooting Claims • Folks, it’s hard • Difficult to determine claims received from Issuer • Difficult to determine faulty component

  18. Integrating with Windows Live • Just another Issuer • Sign up at https://msm.live.com/wizard/default.aspx?wa=wsignin1.0

  19. Session Evaluations Tell us what you think, and you could win! All evaluations submitted are automatically entered into a daily prize draw*  Sign-in to the Schedule Builder at http://europe.msteched.com/topic/list/ * Details of prize draw rules can be obtained from the Information Desk.

  20. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related