SharePoint Authentication And Authorization SPTechCon San Francisco

1. SharePoint Authentication and Authorization
Liam Cleary
Solution Architect | SharePoint MVP

2. About Me
• Solution Architect @ SusQtech (Winchester, VA)
• SharePoint MVP since 2007
• Working with SharePoint since 2002
• Worked on all kinds of projects
• Internet
• Intranet
• Extranet
• Anything SharePoint Really
• Involved in Architecture, Deployment, Customization and
Development of SharePoint

3. Agenda
• Security in General
• Security with SharePoint
• Authentication
• Authorization
• Authentication vs. Authorization
• Claims Authentication / Authorization
• Options Available
• Membership & Role Providers
• Identity Provider
• Cloud Based Services
• Art of Authorization
• Things to Remember

4. Security in General
Dictionary Definition:
• Freedom from danger, risk, etc.; safety.
• Freedom from care, anxiety, or doubt; well-founded
confidence.
• Something that secures or makes safe; protection; defense.
• Freedom from financial cares or from want: The insurance
policy gave the family security.
• Precautions taken to guard against
crime, attack, sabotage,
espionage

6. Security with SharePoint
• Isn't this an oxymoron? Just kidding!!

7. Security with SharePoint
How does security come into play with SharePoint?
• Same questions as the previous security
• How, Who, When and often Why
• Content specific security
• Role based as well is individual security
• Collaboration security
• Cross Team
• Cross Organizational
• Cross Company
• Specific permission sets for types of access and functionality

8. Authentication – What is?
Dictionary Definition:
• To establish as genuine.
• To establish the authorship or origin of conclusively or
unquestionably, chiefly by the techniques of scholarship: to
authenticate a painting.
• To make authoritative or valid.

9. Authentication – Types of?
• Windows
• NTLM
• Kerberos
• Basic
• Anonymous
• Digest
• Forms-based Authentication
• Lightweight Directory Access Protocol (LDAP)
• Microsoft SQL Server
• ASP.NET Membership and Role Providers
• SAML Token-based Authentication
• Active Directory Federated Services
• 3rd Party Identity Provider
• Lightweight Directory Access Protocol (LDAP)

10. Authorization – What is?
Dictionary Definition:
• The act of authorizing.
• Permission or power granted by an authority; sanction.
• To give authority or official power to;
• To give authority for; formally sanction (an act or proceeding):
• To establish by authority or usage:

11. Authentication vs. Authorization
• Misunderstood Terminology
• Users, IT and Developers
• Authentication = Verification of Claim (I am Liam)
• Authorization = Verification of Permission (Liam has access to)
• Authentication Precedes Authorization
• Correct ID shown to Bank Teller
• You are Asking to be Authenticated on the Account
• Once accepted you become Authorized on the Account
• Exception to the rule
• Anonymous Access can leave comments on Blog site
• Anonymous users are already Authorized but not Authenticated
• Too often we focus on Authentication and not Authorization
• We expect our users, clients etc. to just inherently know what they
are to do
• We often forget that Authentication can be broken, but Authorization
is slightly more complicated

12. Authentication – Claims
SharePoint 2010 Introduced Claims Authentication

13. Authentication – Claims
Why introduce Claims Authentication?
• Wide Support
• Standards Based
• WS-Federation 1.1
• WS-Trust 1.4
• SAML Token 1.1 AuthN
• Single Sign On
• Federation
• Already many providers, Live, Google, Facebook etc
• Microsoft standard approach
• Fed up custom coding everything, every time
• Gets round (some) Office Integration problems
• Easy to configure with little effort
• Multiple Web Config changes, Web Application Changes and then of
course the actual configuration of your identity provider

14. Authentication – Claim Terminology
• Identity
• Info about a Person or Object (AD, Google, Windows Live,
Facebook etc.)
• Claim
• Attributes of the Identity (User ID, Email, Age etc.)
• Token
• Binary Representation of Identity
• Set of Claims and the Signature
• Relying Party (aka RP)
• Users Token
• Secure Token Service (STS)
• Issuer of Tokens for Users

15. Authentication – Sign In Process
Identity Provider SharePoint 2010
Security Token Service aka RP
aka IP-STS
1. Resource Requested
2. AuthN Request / Redirect
3. AuthN Request
4. Security Token
5. Security Token Request
6. Service Token
7. Resource Request w/Service Token
8. Resource Sent

16. Sign-In Process with Identity Provider
DEMO

17. Authentication – Membership & Role Providers
• Classic .NET approach
• Support Local Authentication Store
• Support Remote Authentication Stores
• Web Services, Remote Database Calls
• No inherent Single Sign On
• Custom Code to Achieve this, namely cookie based
• Full support for base .NET Providers
• Membership Provider – User Accounts and Authentication
• Role Provider – Equivalent of Groups, Authorization Element
• Specific Configuration needed for each Web Application
• Central Administration
• Secure Token Service
• Web Application
• Extensive “web.config” entries needed
• Custom Components in SharePoint will needed
• Welcome Control, Login Control etc.

18. Authentication – Custom Identity Provider
• No need for Membership and Role Provider
• Can still be used – NOTE: Membership User Approach
• Single Sign Built in – Web Application needs to be set to require
Authentication not Anonymous
• Central Managed and Entry point for all Authentication
• Support Local Authentication Store
• Support Remote Authentication Stores
• Web Services, Remote Database Calls
• Utilizes Windows Identity Framework
• Can use .NET 3.5 / 4.0
• PowerShell configuration to implement
• Requires Trusted Certificate for Communication
• Custom Components in SharePoint will needed
• Welcome Control, Login Control etc.

19. Authentication - Azure Control Service
• Microsoft ADFS Type Cloud Based Service
• Central Point for offloading Authentication
• Supports SAML 1.1 / SAML 2.0
• Support
• Facebook
• Google
• Windows Live ID
• Yahoo
• Custom IDP
• Integrate with Custom Identity Provider
• Open ID type authentication
• Support for 3rd Party Integration
• Claim Mapping through configuration

20. Create Identity Provider
DEMO

21. Authentication – Identity Provider
• Deployment into separate Web Site
• https://sts.domain.com
• Use SSL for all communication
• Ensure SharePoint 2010 trusts the certificate being used by
the Provider
• Methods of override:
• Authenticate User
• GetClaimTypeForRole
• GetOutputClaimsIdentity
• Create User Class – methods to get values from backend into
claims
• Create Claim Types class
• Create custom login methods and validation

22. Authorization
• SharePoint does this after Authentication
• Is user member of group?
• Is user account added to ACL of object?
• Does user have required attribute?
• SharePoint only understands what it is told
• e.g. Just because user logged in at? Does not authorize
• Best Approach to Authorize
• Active Directory Groups
• Roles from Membership and Role Provider
• Claims associated to user
• Don’t just add users to groups or individually – can cause
issues
• SharePoint default “DENY”

23. SharePoint Authorization
Web Application / Site Collection Anonymous
Secured Site / Site Collection / Content
Authentication
Content Repository
Is In Site Group?
Content
Does user have claim attribute?

24. Expect the Unexpected

25. Security – Real World
• Expect the unexpected
• People will find a way to circumvent your security
• Give users minimal permission
• Starting with Less is good
• Add functionality through permission as needed
• Be prepared to secure at all levels
• Web Application
• Site Collection
• Site
• List or Library
• Item
• Use roles from Provider
• Active Directory Groups
• Membership and Role Provider Roles
• Claims

26. Thank You
• Personal Email: liamcleary@msn.com
• Work: http://www.susqtech.com
• Twitter: @helloitsliam
• Blog: www.helloitsliam.com