Boost Fertility New Invention Ups Success Rates.pdf
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
1.
2.
3.
4. Authentication vs. Authorization
Claims Authentication in SharePoint 2010
Integrating Facebook from scratch
New SharePoint 2010 web application
Adding an Azure Access Control Service (ACS)
Trusted Identity Provider (Facebook)
Going “beyond authentication” to surface
Facebook data in SharePoint and vice versa
5. How many of you are…
Developers?
System administrators?
IT professionals?
Others?
Integrating SharePoint 2010 with an
identity provider such as Facebook will
present different challenges for each role
6.
7. Authentication (AuthN) is the process of
validating a user’s identity
SharePoint never performs authentication
If the login prompt keeps appearing, think
authentication issue!
Unless it’s the dreaded
loopback check!
8. Authorization (AuthZ) is the process of
determining the resources, features, etc. to
which an authenticated user has access
If you see “Access Denied” errors, think
authorization issue!
9. What is a claim?
A piece of information describing a user
▪ Name
▪ Email Address
▪ Role/Group membership
▪ Age
▪ Hire Date
Whose claims do I trust, and which claims
affect authorization decisions I make?
10. Token
Serialized set of claims about an authenticated
user, digitally signed by the token’s issuer
Identity Provider (IP)
Validates user credentials
Security Token Service (STS)
Builds, signs, and issues tokens containing claims
Relying party (RP)
Applications that makes authorization decisions
based on claims (SharePoint 2010)
11. Decoupling of authentication logic from
authorization and personalization logic
Applications no longer need to determine who
the user is, they receive claims identifying the
user
Great for developers who rarely want to work
with identity!
Provides a common way for applications
to acquire the identity information they
need about users
12. 1. “I’d like to access this protected resource.”
2. “I don’t know who you are. Identity provider, authenticate him.”
3. “My user ID is Danny and my password is BaCoNbAcOn!!1.”
4. “Hi, Danny. Here is a token you can
use containing attributes about you.”
5. “I’d like to access this resource;
hopefully it has the proof you need
to authorize me!”
SharePoint 2010
13. Claims Based Authentication (Tokens)
Windows Authentication: NTLM/Kerberos, Basic
Forms-Based Authentication (ASP.NET
Membership provider and Role manager)
Other Trusted Identity providers (like Facebook!)
Classic Mode Authentication (“Old School”)
Windows Authentication (NTLM/Kerberos) only
Both map authenticated users to SPUser
objects (security principals)
14. The single biggest decision of your life!
Updated TechNet guidance:
“For new implementations of SharePoint
Server 2010, you should consider we
recommend claims-based authentication.”
http://technet.microsoft.com/en-us/library/cc262350.aspx
15. Allows users to choose how to authenticate
when multiple providers are configured
(Mixed Authentication)
/_login/default.aspx
Custom code opportunity
http://bit.ly/IR0eRR
19. Cloud-based service that provides an easy
way of authenticating and authorizing users
to gain access to web applications
Includes support for Windows Live ID,
Google, Yahoo, and Facebook
Also includes support for Active Directory
Federation Services (AD FS) 2.0
Simple browser-based management portal
$1.99/100k transactions (free until Nov. 30!)
20. Three things must be done to add support
for users to login to SharePoint via Facebook:
1. Create a Facebook application
https://developers.facebook.com/apps
2. Configure ACS for Facebook support
Permissions you will request from Facebook users
Relying Party application and Rule Group setup
3. Configure ACS as a Trusted Identity Provider
in SharePoint
21. No! You can integrate external identity
providers with SharePoint without ACS
You have no choice if you want to use identity
providers not currently supported by ACS
(such as LinkedIn or Twitter)
You will need to write your own code to:
Ensure the user has logged in to the IP
Obtain claim information from the IP
Package and sign tokens (your own STS)
25. From the ACS management portal, add a
new Identity Provider
26. Enter App ID and App Secret values from
Facebook application you created earlier
Enter a comma-delimited list of Application
Permissions you want to request
https://developers.facebook.com/docs/reference/
api/permissions/
In our demo, we will request:
email,user_location,user_hometown,user_website,use
r_work_history,publish_stream,user_birthday,friend
s_birthday,user_education_history,user_photos,user
_about_me
27. Permissions you request will be displayed
to the end user the first time they log in
Request the minimum subset of
permissions you need
Users are more likely to reject bigger requests
28. Generate Rule Group
Named set of claim rules that define which
identity claims are passed from identity
providers to your relying party application
SharePoint will still need to be configured
to make use of these claims
29. Configure Relying Party application
Provide Name, Realm, and Return URL
Return URL: Realm + /_trust
30. Choose SAML 1.1 token format
Update Token lifetime to >600 seconds
Select Identity providers and Rule
groups
31. Generate self-signed certificate
C:Program FilesMicrosoft Office
Servers14.0Tools>MakeCert.exe -r
-pe -n
"CN=dannyjessee.accesscontrol.wind
ows.net" -sky exchange -ss my
(Self-signed, exportable, subject key type
“exchange,” store in “personal” certificate store)
Development only! Please use a
legitimate certificate in production!
32. Upload this certificate (.pfx format) as the
Token Signing Certificate in ACS
35. Running this PowerShell script will add
“Facebook” to the list of Trusted Identity
Providers
Eligible to be added to Claims-based web
applications in Central Administration
36. Before Facebook users will be authorized
to access anything, we must grant them
an appropriate level of permissions
Best to set a “Full Read” web application
policy for users coming in from Facebook
In a public-facing scenario, you likely won’t
know specific user identities to set more
granular permissions
Not to mention the people picker issues!
38. All claims whose OriginalIssuer is
TrustedProvider:Facebook
AccessToken is the key to all user data
39. Make calls to the Facebook Graph API
https://developers.facebook.com/docs/referen
ce/api/
Retrieve data about the user and his/her
friends
Upload photos/videos, post status messages
Data returned from Facebook in JSON format
Requests to https://graph.facebook.com/...
▪ me/feed, me/friends, me/photos, me/videos
41. Code snippets in these slides are not
complete
Do not include proper error checking/handling
Do not show proper impersonation of System
Account where necessary
Please download the code
http://facebookwebparts.codeplex.com
Examples use the Facebook C# SDK
http://csharpsdk.org
42. Returned in a claim from Facebook
A new AccessToken is issued each login
Our key to all of the data about the logged in user
Required for all calls to the Facebook Graph API
Two hour lifetime by default
To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag
web.AllProperties[“fbAccessToken_{loginname}”]
AllProperties required for case sensitivity
43. Change to
Initial display name for the SPUser is based
on the specified IdentifierClaim
Make this friendlier – we know their name!
if (SPContext.Current.Web.CurrentUser == null)
{
SPUser user = web.EnsureUser("i:" + claimsIdentity.Name);
currentUser.Name = givenName;
currentUser.Update();
}
44. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
JsonObject location = me["location"] as JsonObject;
myLocation = (string)location["name"];
myLocation is in City, State format
Parsed and sent to Weather Underground
API
http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/
[city].json
45. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
SPList lstContacts = web.Lists["Contacts"];
SPListItem item = lstContacts.Items.Add();
item["First Name"] = (string)me["first_name"];
item["Last Name"] = (string)me["last_name"];
JsonArray work = me["work"] as JsonArray;
// Most recent/current employer stored in work[0]
JsonObject company = work[0] as JsonObject;
JsonObject employer = company["employer"] as JsonObject;
JsonObject position = company["position"] as JsonObject;
item["Company"] = (string)employer["name"];
item["Job Title"] = (string)position["name"];
item.SystemUpdate();
46. var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)
client.Get("me/friends?fields=name,birthday");
JsonArray friendData = me["data"] as JsonArray;
foreach (JsonObject friend in friendData)
{
if (friend.ContainsKey("birthday"))
{
/* Some users share MM/DD of birthday, others share
MM/DD/YYYY
We only care about MM/DD for our purposes, and
Facebook always pads with leading zeros */
string birthday = (string)friend["birthday"];
birthMonth = int.Parse(birthday.Substring(0, 2));
birthDate = int.Parse(birthday.Substring(3, 2));
...
48. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "title", "I know how to post videos to
Facebook...from SharePoint!" },
{ "description", "See more at SPS Cincinnati October
27, 2012!" },
{ "vid1", new FacebookMediaObject { ContentType =
"video/x-flv", FileName = "facebook.flv"
}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }
};
client.PostAsync("me/videos", dict);
49. var client = new Facebook.FacebookClient(token);
Dictionary<string, object> dict = new Dictionary<string,
object>();
dict.Add("message", "Yay for Claims-Based Identity,
Facebook, SharePoint, and Bacon!");
dict.Add("link",
"http://sharepointsaturday.org/cincinnati");
dict.Add("picture",
"http://www.sharepointsaturday.org/cincinnati/SiteImages/Sca
rePointSpookinnati.jpg");
dict.Add("name", "SharePoint Saturday Cincinnati");
dict.Add("caption", "October 27, 2012");
dict.Add("description", "Come see my presentation about
Claims-Based Identity in SharePoint 2010 at SPS
Cincinnati!");
client.PostAsync("me/feed", dict);
50. Ensure “Allow users to edit values for this
property” flag is set
SPServiceContext sc = SPServiceContext.GetContext(site);
UserProfileManager userProfileMangager = new
UserProfileManager(sc);
UserProfile profile =
userProfileMangager.GetUserProfile(true);
profile[PropertyConstants.StatusNotes].Value =
txtStatus.Text;
profile.Commit();
51. Silverlight application courtesy MossLover
Interfaces with the user’s webcam, saves
captured images to document library
52. Added event handler to upload to
Facebook
string contentType = "image/jpeg";
var client = new Facebook.FacebookClient(fbAccessToken);
Dictionary<string, object> dict = new Dictionary<string,
object> {
{ "message", "Uploaded picture from Silverlight webcam
image capture in SharePoint!" },
{ "pic1", new FacebookMediaObject { ContentType =
contentType, FileName = properties.ListItem.File.Name
}.SetValue(properties.ListItem.File.OpenBinary()) }
};
client.PostAsync("me/photos", dict);
Hinweis der Redaktion
This is all admin/IT pro stuff…
Liam Cleary makes a good point about how anonymous access is one case where Authorization precedes Authentication.
Liam Cleary’s analogy of drivers licenses and vehicle registrations; police officers. HTTP 302 redirects. Can verify this with Fiddler.
Claims opens up all the doors to you…FBA, Trusted Identity Providers (external-outside world)
Can always go from Classic to Claims, can’t go back!!!
Go to Central Administration and provision a simple new web application using Claims. Log in with an NTLM-based domain account.