SharePoint 2010,Claims-Based Identity, Facebook, and the Cloud

 Senior software engineer – Corbin Company
 8 years SharePoint development experience

 MCPD: SharePoint Developer 2010
 MCTS: SharePoint 2010 Configuration

 Email: djessee@thecorbincompany.com
 Twitter: @dannyjessee
 Blog: http://dannyjessee.com/blog

 Authentication vs. Authorization
 Claims Authentication in SharePoint 2010
 Integrating Facebook from scratch
 New SharePoint 2010 web application
 Adding an Azure AppFabric ACS Trusted
Identity Provider (Facebook)
 Going “beyond authentication” to surface
Facebook data in SharePoint and vice versa

 How many of you are…
 Developers?
 System administrators?
 IT professionals?
 Others?
 Integrating SharePoint 2010 with an
identity provider such as Facebook will
present different challenges for each role

 Authentication (AuthN) is the process of
validating a user’s identity
 SharePoint never performs authentication
 If the login prompt keeps appearing, think
authentication issue!
 Unless it’s the dreaded
loopback check!

 Authorization (AuthZ) is the process of
determining the resources, features, etc. to
which an authenticated user has access
 If you see “Access Denied” errors, think
authorization issue!

 Claims Based Authentication (Tokens)
 Windows Authentication: NTLM/Kerberos, Basic
 Forms-Based Authentication (ASP.NET
Membership provider and Role manager)
 Other Trusted Identity providers (like Facebook!)
 Classic Mode Authentication (“Old School”)
 Windows Authentication (NTLM/Kerberos) only
 Both map authenticated users to SPUser
objects (security principals)

 What is a claim?
 A piece of information describing a user
▪ Name
▪ Email Address
▪ Role/Group membership
▪ Age
▪ Hire Date
 Whose claims do I trust, and which claims
affect authorization decisions I make?

 Token
 Serialized set of claims about an authenticated
user, digitally signed by the token’s issuer
 Identity Provider (IP)
 Validates user credentials
 Security Token Service (STS)
 Builds, signs, and issues tokens containing claims
 Relying party (RP)
 Applications that makes authorization decisions
based on claims (SharePoint 2010)

 Decoupling of authentication logic from
authorization and personalization logic
 Applications no longer need to determine who
the user is, they receive claims identifying the
user
 Great for developers who rarely want to work
with identity!
 Provides a common way for applications
to acquire the identity information they
need about users

1. “I’d like to access this protected resource.”
2. “I don’t know who you are. Identity provider, authenticate him.”
3. “My user ID is Danny and my password is BaCoNbAcOn!!1.”
4. “Hi, Danny. Here is a token you can
use containing attributes about you.”
5. “I’d like to access this resource;
hopefully it has the proof you need
to authorize me!”

SharePoint 2010

 The single biggest decision of your life!
 Updated TechNet guidance:
 “For new implementations of SharePoint
Server 2010, you should consider we
recommend claims-based authentication.”

http://technet.microsoft.com/en-us/library/cc262350.aspx

 The Federal Bacon Administration is a
highly innovative (and flavorful) new
government agency that is standing up a
new public-facing web site using
SharePoint 2010
 They want users to sign in using their
Facebook accounts and bring information
from Facebook into SharePoint (and vice
versa)

 Cloud-based service that provides an easy
way of authenticating and authorizing users
to gain access to web applications
 Includes support for Windows Live
ID, Google, Yahoo, and Facebook
 Also includes support for Active Directory
Federation Services (AD FS) 2.0
 Simple browser-based management portal
 $1.99/100k transactions (free until Nov. 30!)

 No! You can integrate external identity
providers with SharePoint without ACS
 You have no choice if you want to use identity
providers not currently supported by ACS
(such as LinkedIn or Twitter)
 You will need to write your own code to:
 Ensure the user has logged in to the IP
 Obtain claim information from the IP
 Package and sign tokens (your own STS)

 Three things must be done to add support
for users to login to SharePoint via Facebook:
1. Create a Facebook application
 https://developers.facebook.com/apps
2. Configure ACS for Facebook support
 Permissions you will request from Facebook users
 Relying Party application and Rule Group setup
3. Configure ACS as a Trusted Identity Provider
in SharePoint

 Click “Create New App”
 Provide Display Name and Namespace

 Note App ID and App Secret values
 Provide Website URL to ACS

 From the ACS management portal, add a
new Identity Provider

 Enter App ID and App Secret values from
Facebook application you created earlier
 Enter a comma-delimited list of
Application Permissions you want to
request
 https://developers.facebook.com/docs/referen
ce/api/permissions/
 In our demo, we will request:
 email,user_location,user_hometown,user_website,u
ser_work_history,publish_stream,user_birthday,fr
iends_birthday

 Permissions you request will be displayed
to the end user the first time they log in

 Request the minimum subset of
permissions you need
 Users are more likely to reject bigger requests

 Generate Rule Group
 Named set of claim rules that define which
identity claims are passed from identity
providers to your relying party application

 SharePoint will still need to be configured
to make use of these claims

 Configure Relying Party application
 Provide Name, Realm, and Return URL
 Return URL: Realm + /_trust

 Choose SAML 1.1 token format
 Update Token lifetime to >600 seconds

 Select Identity providers and Rule
groups

 Generate self-signed certificate
 C:Program FilesMicrosoft Office
Servers14.0Tools>MakeCert.exe -r
-pe -n
"CN=dannyjessee.accesscontrol.wind
ows.net" -sky exchange -ss my
(Self-signed, exportable, subject key type
“exchange,” store in “personal” certificate store)
 Development only! Please use a
legitimate certificate in production!

 Upload this certificate (.pfx format) as the
Token Signing Certificate in ACS

 New-SPTrustedRootAuthority
 Name, Certificate (self-signed .cer made
earlier)
 New-SPClaimTypeMapping
 IncomingClaimType
 IncomingClaimTypeDisplayName
 LocalClaimType (or SameAsIncoming)
 New-SPTrustedIdentityTokenIssuer
 Name, Realm, ImportTrustCertificate
 ClaimsMappings, SignInUrl, IdentifierClaim

 Running this PowerShell script will add
“Facebook” to the list of Trusted Identity
Providers
 Eligible to be added to Claims-based web
applications in Central Administration

 Before Facebook users will be authorized
to access anything, we must grant them
an appropriate level of permissions
 Best to set a “Full Read” web application
policy for users coming in from Facebook
 In a public-facing scenario, you likely won’t
know specific user identities to set more
granular permissions
 Not to mention the people picker problems!

 All claims whose OriginalIssuer is
TrustedProvider:Facebook

 AccessToken is the key to all user data

 Make calls to the Facebook Graph API
 https://developers.facebook.com/docs/referen
ce/api/
 Retrieve data about the user and his/her
friends
 Upload photos/videos, post status messages
 Data returned from Facebook in JSON format
 Requests to https://graph.facebook.com/...
▪ me/feed, me/friends, me/photos, me/videos

 SharePoint maintains its own certificate
store where separate trusts must be
configured
 http://dannyjessee.com/blog/index.php/2
011/12/required-trust-relationships-for-
the-facebook-c-sdk-in-sharepoint-2010/
 Need to upload two certificates in Central
Admin (Security > Manage Trust):
 DigiCert High Assurance EV Root CA
 DigiCert High Assurance CA-3

 I’m sorry!
 Time to geek out with some code
 Nothing particularly special about this
code, any .NET developer should be able
to work similar magic
 Examples use the Facebook C# SDK
 http://csharpsdk.org

 Code snippets in these slides are not
complete
 Do not include proper error checking/handling
 Do not show proper impersonation of System
Account where necessary
 Please download the code
 Do not copy and paste from these slides
 I will Tweet the link and update this slide deck
to include it

 Returned in a claim from Facebook
 A new AccessToken is issued each login
 Our key to all of the data about the logged in user
 Required for all calls to the Facebook Graph API
 Two hour lifetime by default
 To leverage this token across the site, I store
it in the SPWeb.AllProperties property bag
 web.AllProperties[“fbAccessToken_{loginname}”]
 AllProperties required for case sensitivity

 Change to
 Initial display name for the SPUser is based
on the specified IdentifierClaim
 Make this friendlier – we know their name!

if (SPContext.Current.Web.CurrentUser == null)
{
SPUser user = web.EnsureUser("i:" + claimsIdentity.Name);
currentUser.Name = givenName;
currentUser.Update();
}

var client = new Facebook.FacebookClient(token);
var me = (IDictionary<string, object>)client.Get("me");
JsonObject location = me["location"] as JsonObject;
myLocation = (string)location["name"];

 myLocation is in City, State format
 Parsed and sent to Weather Underground
API
 http://api.wunderground.com/api/[key]/
geolookup/conditions/forecast/q/[state]/
[city].json

var me = (IDictionary<string, object>)client.Get("me");
SPList lstContacts = web.Lists["Contacts"];
SPListItem item = lstContacts.Items.Add();
item["First Name"] = (string)me["first_name"];
item["Last Name"] = (string)me["last_name"];
JsonArray work = me["work"] as JsonArray;
// Most recent/current employer stored in work[0]
JsonObject company = work[0] as JsonObject;
JsonObject employer = company["employer"] as JsonObject;
JsonObject position = company["position"] as JsonObject;
item["Company"] = (string)employer["name"];
item["Job Title"] = (string)position["name"];
item.SystemUpdate();

var me = (IDictionary<string, object>)
client.Get("me/friends?fields=name,birthday");
JsonArray friendData = me["data"] as JsonArray;
foreach (JsonObject friend in friendData)
{
if (friend.ContainsKey("birthday"))
{
/* Some users share MM/DD of birthday, others share
MM/DD/YYYY
We only care about MM/DD for our purposes, and
Facebook always pads with leading zeros */
string birthday = (string)friend["birthday"];
birthMonth = int.Parse(birthday.Substring(0, 2));
birthDate = int.Parse(birthday.Substring(3, 2));
...

SPList lstCalendar = web.Lists["Calendar"];
SPListItem birthdayItem = lstCalendar.Items.Add();
birthdayItem["Title"] = name + (name.EndsWith("s") ? "' birthday" :
"'s birthday");
birthdayItem["EventDate"] = dtBirthday;
birthdayItem[SPBuiltInFieldId.Duration] = 60 * 60 * 24;
birthdayItem[SPBuiltInFieldId.EventType] = 1;
birthdayItem[SPBuiltInFieldId.fRecurrence] = true;
birthdayItem[SPBuiltInFieldId.fAllDayEvent] = true;
string recurrence =
"<recurrence><rule><firstDayOfWeek>su</firstDayOfWeek>" +
"<repeat><yearly yearFrequency='1' month='" + birthMonth.ToString()
+ "' day='" + birthDate.ToString() + "' /></repeat>" +
"<windowEnd>2014-01-01T00:00:00Z</windowEnd></rule></recurrence>";
birthdayItem["RecurrenceData"] = recurrence;
birthdayItem.SystemUpdate();

Dictionary<string, object> dict = new Dictionary<string,
object>();
dict.Add("message", "Yay Facebook, SharePoint, &
Bacon!");
dict.Add("link", "http://fedspug.org/");
dict.Add("picture",
"http://www.fedspug.org/SiteAssets/FEDSPUG%20logo%20small
.bmp");
dict.Add("name", "FEDSPUG Home Page");
dict.Add("caption", "April 5, 2012");
dict.Add("description", "Come see my presentation about
Claims-Based Identity in SharePoint 2010 at FEDSPUG!");
client.PostAsync("me/feed", dict);

Dictionary<string, object> dict = new
Dictionary<string, object> {
{ "title", "I know how to post videos to
Facebook...from SharePoint!" },
{ "description", "See more at FEDSPUG April 5, 2012!"
},
{ "vid1", new FacebookMediaObject { ContentType =
"video/x-flv", FileName = "facebook.flv"
}.SetValue(File.ReadAllBytes(@"C:facebook.flv")) }
};
client.PostAsync("me/videos", dict);

 Silverlight application courtesy MossLover
 Interfaces with the user’s webcam, saves
captured images to document library

 Added event handler to upload to
Facebook
string contentType = "image/jpeg";
var client = new Facebook.FacebookClient(fbAccessToken);
Dictionary<string, object> dict = new
Dictionary<string, object> {
{ "message", "Uploaded picture from Silverlight webcam
image capture in SharePoint!" },
{ "pic1", new FacebookMediaObject { ContentType =
contentType, FileName = properties.ListItem.File.Name
}.SetValue(properties.ListItem.File.OpenBinary()) }
};
client.PostAsync("me/photos", dict);

 WS-Trust, WS-Federation, SAML
 Requesting/receiving tokens
 XML representation of claims
 These emerging technologies have been
around for awhile
 Their use in Claims-Based Identity represents a
new approach for handling identity in applications
 Great potential in corporate environments
▪ Active Directory Federation Services, external LDAP, etc.
 Great potential as we move to the cloud
▪ Azure ACS: Facebook, Google, Windows Live ID, etc.

 Allows users to choose how to authenticate
when multiple providers are configured
(Mixed Authentication)

 Custom code opportunity
 http://www.orbitone.com/en/blog/archive/2010/0
6/23/sharepoint-2010-mixed-authentication-
automatic-login.aspx

 Visual Web Part
 Code behind:
IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
IClaimsIdentity claimsIdentity = (IClaimsIdentity) claimsPrincipal.Identity;
GridView1.DataSource = claimsIdentity.Claims;
Page.DataBind();

http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID
=32

 Similar to FBA setup for MOSS, with some
exceptions:
 Authentication provider does not need to be
mapped to a separate zone
 One additional Web.config to modify:
▪ C:Program FilesCommon FilesMicrosoft
SharedWeb Server
Extensions14WebServicesSecurityToken
▪ Add entries for connection string, Membership
provider, Role manager
▪ Same modifications for Central Admin and web app

 General issues for all Claims implementations
 Search crawler requires NTLM in the zone it uses
 “People picker” is more of a Claims “expression
editor”
▪ Custom code opportunity
 User Profiles
▪ LDAP or BCS connection to authentication store
 Office client integration (2007 SP2+, 2010)
▪ IE 8+: Trusted Sites
 No document previews with FAST Search

“After migrating to Claims in
SharePoint 2010, most of our users
were able to log in some of the
time.”
—A less-than-thrilled system administrator

 Migration from MOSS to SharePoint 2010
 Migrate FBA Users
▪ $wa = get-SPWebApplication $WebAppName
▪ $wa.MigrateUsers($true)
 Portalsuperuser and Portalsuperreader properties
need to be updated to reflect Claims-encoded format
▪ $wa.Properties["portalsuperuseraccount"] =
"i:0#.w|domainapppool"
▪ $wa.Properties["portalsuperreaderaccount"] =
"i:0#.w|domainapppool"
▪ $wa.Update()
 Must migrate all providers from MOSS to 2010
▪ i.e., NTLM and FBA if both existed prior to migration

 “Funky” display of usernames
 i:0#.w|SHRPNTAdministrator
 i:0#.f|CustomMembershipProvider|username
 i:0#.t|selfsts|test@contoso.com
▪ i: Microsoft.SharePoint.Administration.Claims.
SPClaimsAuthMembershipProvider (Web.config)
▪ windows, forms, trusted Identity Provider

 Set DisplayName property of SPUser
 $user = Get-SPUser -Web
http://abc.shrpnt.loc
-Identity
"i:0#.f|CustomMembershipProvider|username"
 $user.DisplayName = "John Doe"
 $user.Update()
 Can also be done via SharePoint object
model

 Session expiration issues with SAML
Claims
 Users can come back to the page hours later
without having to log in again
 SharePoint creates a FedAuth cookie (written
to disk) that is not a Session cookie by default
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.UseSessionCookies = $true
▪ $sts.Update()

 Continuous redirection to/from login page
 This can happen when the TokenLifetime is less
than the LogonTokenCacheExpirationWindow
▪ Default LogonTokenCacheExpirationWindow in
SharePoint 2010 STS is 10 minutes
▪ Default Token Lifetime in Azure ACS is also 10 minutes
▪ $sts = Get-SPSecurityTokenServiceConfig
▪ $sts.LogonTokenCacheExpirationWindow =
(New-TimeSpan -minutes 1)
▪ $sts.Update()

 Go to the login page, enter valid
credentials, press the “Log In”
button, and…get redirected back to the
login page (once)
 Check the ULS logs!
▪ Could be token expiration timeout
▪ Could be something else

 SPSecurityTokenService.Issue() failed:
System.Runtime.InteropServices.
COMException (0x800703FA): Retrieving the
COM class factory for component with CLSID
{BDEADF26-C265-11D0-BCED-00A0C90AB50F}
failed due to the following error: 800703FA.
 GPEdit: Computer Configuration >
Administrative Templates > System > User
Profiles
▪ Do not forcefully unload the users registry at user
logoff > Set to “Enabled”

 Stick with Classic Mode Authentication if
you are deploying SharePoint into a
“simple” Active Directory environment
 Particularly if strict security controls are in
place that are beyond your control
 Especially if you are only migrating from
Windows authentication in MOSS
 Once you go to Claims, you can’t go back!

 If you must use Claims for your Extranet,
try to minimize the number of zones/host
headers used
 Default zone should be most secure
 Have a good “troubleshooter’s toolbox”
 ULS Log Viewer
 Fiddler
 Claims Viewer web part

 Shane Young – my hero!
 http://sharepoint911.com
 Plan Authentication Methods
(SharePoint Server 2010)
 http://technet.microsoft.com/en-
us/library/cc262350.aspx
 A Guide to Claims-Based Identity and
Access Control (Microsoft Patterns and
Practices)
 http://claimsid.codeplex.com/

 Writing Claims Providers for SharePoint
2010
 http://msdn.microsoft.com/en-
us/library/ff699494.aspx
 Implementing Claims-Based
Authentication with SharePoint Server
2010
 http://www.microsoft.com/download/en/detail
s.aspx?id=27569

 Transparent Login with Mixed
Authentication
 http://www.orbitone.com/en/blog/archive/201
0/06/23/sharepoint-2010-mixed-
authentication-automatic-login.aspx
 C# Facebook SDK
 http://facebooksdk.codeplex.com
 Azure ACS and Facebook
us/library/gg185967.aspx

 Steve Peschka
 http://blogs.technet.com/b/speschka/archive/
2010/06/12/migrating-a-web-application-
from-windows-classic-to-windows-claims-in-
sharepoint-2010.aspx
us/library/hh147183.aspx
 Project Server Blog (GREAT tips for
migrating to Claims here!!!)
 http://nearbaseline.com.au/blog/tag/claims/

 SelfSTS and Vittorio Bertocci
 http://archive.msdn.microsoft.com/SelfSTS
 http://blogs.msdn.com/b/vbertocci/archive/20
10/08/23/selfsts-when-you-need-a-saml-
token-now-right-now.aspx
 Paul Schaeflein
 http://www.schaeflein.net/blog/Lists/Posts/Pos
t.aspx?ID=4

 Claims Viewer web part
 http://blogs.pointbridge.com/Blogs/nielsen_tr
avis/Pages/Post.aspx?_ID=32
 Fiddler
 http://www.fiddler2.com/fiddler2/
 SharePoint ULS Log Viewers
 http://sharepointlogviewer.codeplex.com/
 http://ulsviewer.codeplex.com/

 Azure ACS Integration
 http://blogs.objectsharp.com/cs/blogs/steve/a
rchive/2011/04/21/windows-azure-access-
control-services-federation-with-
facebook.aspx
 http://www.7388.info/index.php/article/studio/
2011-07-29/20983.html
 Robert Bogue
 http://www.sharepointshepherd.com

SharePoint 2010,Claims-Based Identity, Facebook, and the Cloud

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie SharePoint 2010,Claims-Based Identity, Facebook, and the Cloud

Ähnlich wie SharePoint 2010,Claims-Based Identity, Facebook, and the Cloud (20)

Mehr von Danny Jessee

Mehr von Danny Jessee (10)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)