220 likes | 886 Views
Jean Marie THIA. SAML 2.0 @ work with Sharepoint , OWA, …. Agenda. 1 - Demonstrations 2 - Explanations 3 - Story Questions. 1 : Authentication. Connect to a web application Connect to Sharepoint Connect to Outlook Web Access. 1 : SharePoint authZ. A MS Word use case
E N D
Jean Marie THIA SAML 2.0 @ work with Sharepoint, OWA, …
Agenda • 1 - Demonstrations • 2 - Explanations • 3 - Story • Questions
1 : Authentication • Connect to a web application • Connect to Sharepoint • Connect to Outlook Web Access
1 : SharePoint authZ • A MS Word use case • From the desktop • From SharePoint • Set authorization in SharePoint
2 : SharePoint WS Fed. SAML 2.0 SharePoint STS ADFS 2.0
2 : Outlook Web Access Kerberos SAML 2.0 Mapping ADFS 2.0 C2WTS
2 : ADFS manipulation • Map shibboleth attribute • Map OWA user
Story Claim based access control microsoft.identityModel
3 : WIF • Core claims API (microsoft.identityModel) • SAML Token • WS Federation protocol • SAML 2.0 protocol with Safewherehttp://safewhere.net/products/saml-20-for-wif.aspx
3 : WIF compatibility • IsInRoleworks ( web.config declaration )
3 : WIF programming IClaimsIdentity id =((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0]; // you can use a simple foreach loop to find a claim... string usersEmail = null; foreach (Claim c in id.Claims) { if (c.ClaimType == System.IdentityModel.Claims.ClaimTypes.Email) { UsersEmail = c.Value; break; } } // you can also use LINQ to find a claim string usersFirstName = (from c in id.Claims where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.GivenName select c).First().Value;
3 : ADFS 2.0 • Uses SAML 2.0 Protocol • Liberty alliance IdP Lite • Liberty alliance SP Lite • eGov SAML 2.0 Profile v1.5 • Uses WS-* Protocol • Interoperate with Oracle, CA, SUN, Shibboleth, PingIdentity, … • Is a separate download !
3 : ADFS 2.0 architecture Management APIs and UX Policy Store Interface Identity Store Interface Windows Identity Foundation (WIF) API WMI Provider Protocol Hosting (WS-*, SAML 2.0) Account & Attribute Stores Configuration Database Active Directory Federation Services (AD FS) 2.0 Token/Claim Issuance Service Metadata/Policy Management Service Information Card Issuance Service
3 : Azure ACS • ADFS for the cloud • Extended interoperability (Oauth, openID, google, facebook, etc.)
Conclusion • + • Many guides. • AuthZ with claims augmentation. • Claims compatibility with old code. • - • Federation metadata
ADFS v2 - Guides • Sharepoint 2010 Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx • Outlook Web Access 2010 Exposing OWA 2010 with AD FS 2.0 to other organizations http://www.microsoft.com/france/interop/ressources/documents.aspx • In Common AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommonFederationhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx
Webcast • Architecting claims-aware applicationhttp://www.msteched.com/2010/Europe/ARC303 • From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 http://www.msteched.com/2010/NorthAmerica/OSP311 • Developing Microsoft SharePoint Server 2010 Solutions with Claims Authenticationhttp://www.msteched.com/2010/NorthAmerica/OSP306 • http://channel9.msdn.com/
Links at Microsoft • Patterns & Practices A guide to claims-based to Identity and Access Controlhttp://msdn.microsoft.com/en-us/library/ff423674.aspx • MSDNWIF :http://msdn.microsoft.com/en-us/library/ee748484.aspxC2WTS : http://msdn.microsoft.com/en-us/library/ee517278.aspxIdM : http://msdn.microsoft.com/en-us/security/aa570351.aspx • ADFS 2.0 on Technethttp://technet.microsoft.com/en-us/library/adfs2(v=WS.10).aspx
Questions ? Jean-Marie.THIA@upmc.fr twitter.com/jm_thia