This document discusses configuring identity federation between SharePoint and Active Directory Federation Services (ADFS) using claims-based authentication. It provides an overview of key concepts like claims, security tokens, relying parties, and security token services. It then describes how to install and configure ADFS, set up SharePoint as a relying party, and configure claims mappings between the two systems to enable single sign-on using ADFS credentials. Additional topics covered include using Azure Access Control Service for additional identity providers and updating SharePoint when ADFS certificates are renewed.

1. SharePoint, ADFS, ACS and
Claims-based Authentication
Kashif Imran
Kashif_Imran@hotmail.com

2. Agenda
• Claims-based Identity Model’s Key Concepts
• Install and Configure ADFS for SharePoint 2013
• Configure Azure ACS and SharePoint for SSO using Google etc.
• Use ADFS as IP-STS via Azure ACS as RP-STS
• Claims Viewer
• Custom Claims Provider

3. Claims with SharePoint is sort of
like a bird, it’s pretty cute until it
shits on your head.

4. I drink beer to celebrate major
events, the fall of communism,
or the fact that our SharePoint
and ADFS is still working.

5. Identity in Traditional Applications
• Application
• Identity Management
• Account creation
• Password creation
• Password change
• Password reset
• …
• 2 Step Verification
• Attribute Store

6. Identity in Real World
• Buy wine/beer example
• Externalize authentication to DMV
• Driving license
• document that is relatively hard to produce/forge
• Has additional information about user (age)
• International Travel
• Passport
• Boarding Card

7. Claims-based Identity Model
• Way for applications to acquire the identity information about internal or external users
• Abstracts individual elements of identity and access control into “Notion of claims” and “Concept of issuer or an authority”
• Applications do not need to authenticate users, store user accounts or passwords, etc.
• Original intention behind the claims-based identity model was to enable federation between organization, but claims are not just
for federation
• Claim
• Statement that one subject (user or organization) makes about itself of another subject. E.g.: name, group, ethnicity etc.
• Why call these “claims” and not “attributes”? “Delivery method” => User delivers claims to application instead of application looking these up
in some directory
• Assert user has logged in
• Claims are NOT what a user can or can not do, they are what a user is or is not
• Each claim is made by an issuer, and you trust the claim only as much as you trust the issuer
• Issuer, Type, Value => (Google, Email, darwaish@gmail.com)
• Security Token
• Serialized set of claims that is digitally signed by the issuing authority (Claims are unchanged and comes from whoever signed in)
• Successful outcome of sign in
• SAML (Security Assertion Markup Language), SWT (Simple Web Token), JWT (JSON Web Token)

8. Relying Party and STS
• Relying Party (RP)
• An application that relies on claims
• Claims aware application
• Claims-based application
• Security Token Service
• Service component that builds, signs and issues security tokens
• Implicit authN (no token, no party)
• WS-Trust, WS-Fed, SAML
• IP-STS:
• authenticates a client and creates SAML token
• Façade for one or more identity stores
• RP-STS (R-STS: Resource STS, FP-STS: Federation Provider STS)
• Transforms token issues by another STS
• Does not authenticate the client but relies on SAML token provided by IP-STS that it trusts
• Façade for one boundary
• Federation Patterns
• Passive (Web Clients) WS-Trust emulated using GET, POST, redirects and cookies.
• Active: Code to acquire tokens explicitly

9. Windows Identity Foundation (WIF)
• .NET library encapsulating the inner workings of WS-Federation and
WS-Trust
• System.IdentityModel
• System.IdentityModel.Services
• IPrincipal (IsInRole, Identity), IIdentity (AuthenticationType,
IsAuthenicated, Name)
• IClaimsPrincipal = IPrincipal + Identities
• IClaimsIdentity = IIdentity + Claims
• Claims: Property bag, Subject, issuer, originalissuer, claimtype, value,
valuetype

10. ADFS V2: Active Directory Federation Services
• STS
• WS*(WS-Trust, WS-SecurityPolicy, WS-Federation, SAML)
• Claims provider
• Federation service for identity across domains
• Consumers: SharePoint, Azure ACS, WCF, Others
• Federation Metadata:
• How do RP know its from STS
• What claims
• Where is STS
• SAML Claims

11. SharePoint Authentication
• Windows (Classic) Authentication: NTLM, Kerberos(Multi hop)
• Claims Based AuthN
• Claims or Classic in the end you are SPUser
• C2WTS(Claims to windows token service)

12. SharePoint with ADFS

13. Federating Identity

14. The Hub Model

15. Windows VS Trusted Identity Authentication

17. Claims Viewer
IClaimsPrincipal principal = Page.User as IClaimsPrincipal;
IClaimsIdentity identity = principal.Identity as IClaimsIdentity;
gv.DataSource = identity.Claims;
gv.DataBind();

18. SharePoint Claims

19. SharePoint Claims Encoding
• <IdentityClaim> indicates the type of claim and is the following:
• “i” for an identity claim
• “c” for any other claim
• <ClaimType> indicates the format for the claim value and is the following:
• “#” for a user logon name
• “.” for an anonymous user
• “5” for an email address
• “!” for an identity provider
• “+” for a Group security identifier (SID)
• “-“ for a role
• “%” for a farm ID
• “?” for a name identifier
• "" for a private personal identifier (PPID)
• <ClaimValueType> indicates the type of formatting for the claim value and is the following:
• “.” for a string
• “+” for an RFC 822-formatted name
• <AuthMode> indicates the type of authentication used to obtain the identity claim and is the following:
• “w” for Windows claims (no original issuer)
• “s” for the local SharePoint security token service (STS) (no original issuer)
• “t” for a trusted issuer
• “m” for a membership issuer
• “r” for a role provider issuer
• “f” for forms-based authentication
• “c” for a claim provider
• <OriginalIssuer> indicates the original issuer of the claim.
• <ClaimValueType> indicates the value of the claim in the <ClaimType> format.
• http://msdn.microsoft.com/en-us/library/gg481769.aspx#claimswalkthrough5_AppendixA

20. SharePoint Claims Encoding
Type of claim Encoded claim Claim encoding breakdown
Windows User i:0#.w|contosokashif •“i” for an identity claim
•“#” for the user logon name format for the claim value
•“.” for a string
•“w” for Windows claims
•“contosokashif” for the identity claim value (the Windows account name)
Windows Authenticated Users group c:0!.s|windows •“c” for a claim other than identity
•“!” for an identity provider
•“.” for a string
•“s” for the local SharePoint STS
•“windows” for the Windows Authenticated Users group
SAML authentication (Trusted User) i:05.t|adfs|kashif@contoso.com •“i” for an identity claim
•“5” for the email address format for the claim value
•“.” for a string
•“t” for a trusted issuer
•“adfs” identifies the original issuer of the identity claim
•“kashif@contoso.com” for the identity claim value
Forms-based authentication i:0#.f|mymembershipprovider|kashif •“i” for an identity claim
•“#”for the user logon name format for the claim value
•“.” for string
•“f” for forms-based authentication
•“mymembershipprovider” identifies the original issuer of the identity claim
•“kashif” for the user logon name

21. Claims Resolution and Augmentation
• Inherit a class from
Microsoft.SharePoint.Administration.Claims.SPClaimsProvider
• Register using
• Microsoft.SharePoint.Administration.Claims.SPClaimsProviderFeatureReceiver
• Implement
• FillClaimsForEntity
• FillClaimTypes
• FillClaimValueTypes
• Register Claims Provider
• $trusted = Get-SPTrustedIdentityTokenIssuer -Identity “Kashif"
• $trusted.ClaimProviderName = “KashifClaimsStore"
• $trusted.Update()

22. ADFS Deployment
• Single server configuration
• ADFS 2.0 server farm and load-balancer
• ADFS 2.0 Proxy server(s) for offsite users

23. Install and Configure ADFS V2
• Install Windows Server 2008 R2
• Create service account (ssp_adfs) and set SPN
• Install ADFS server, don't configure it
• Generate SSL Certificates
• Token Signing, Token Encryption, Site
• Disable AutoCertificate Rollover
• Add-PsSnapin Microsoft.Adfs.Powershell
• Set-ADFSProperties -AutoCertificateRollover $false
• Set Primary Certificates
• Give ADFS account permission on private key of certificates
• Add Trusted Relying Party
• Map Claims
• Email-Addresses => Email Address
• Token-Groups - Unqualified Names => Role
• SAM-Account-Name => Windows account name
• User-Principal-Name => UPN
• Test Sign On using IdpInitiatedSignOn

24. SharePoint Configuration for ADFS
• Export and copy public key of token signing certificate from ADFS
• Generate SSL and AAM for SharePoint web app
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:adfsss.cer”)
$map1 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -
SameAsIncoming
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName
"WindowsAccountName" -SameAsIncoming
$map4 = New-SPClaimTypeMapping “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming
$realm = "urn:sharepoint:www"
$signinurl = "https://sso.kashif.com/adfs/ls/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "Kashif" -Description "Kashif STS" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2,$map3,$map4 -
SignInUrl $signinurl -IdentifierClaim $map3.InputClaimType
New-SPTrustedRootAuthority “Kashif Trusted Root Authority” -Certificate $cert
$ap.Update()
• My Sites or other web apps
$uri = new-object System.Uri("https://my.kashif.com")
$ap.ProviderRealms.Add($uri, "urn:sharepoint:my")

25. SharePoint Trusted Identity Token Issuer
A SharePoint trusted identity token issuer binds together the details of the identity provider and the
mapping rules to associate them with a specific SharePoint web application.

26. Update SharePoint for new ADFS Certificates
$cert1 = New-Object
System.Security.Cryptography.X509Certificates.X509Certificate2("C:adf
supdatesss1.cer")
Set-SPTrustedRootAuthority -Identity "Kashif Trusted Root Authority
P1" -Certificate $cert
Set-SPTrustedIdentityTokenIssuer "Kashif" -ImportTrustCertificate $cert

27. Azure Access Control Service
• Build using Claims-based identity principles
• Support WIF and ADFS V2

28. Questions
???