nameclaim typemulti-valued?required?profile updated? upn
TRANSCRIPT
Sameer SurveDelivery ArchitectMicrosoft
Claims Authentication in SharePoint Online-Dedicated
Session Objectives And TakeawaysSession Objective(s): Understand Enterprise LandscapeUnderstand implementation of 3rd party SAML Claims in SharePoint Online – Dedicated ApplicationUnderstand SharePoint Information and Authorization PatternsUnderstand risks, plan and prioritize solutions
Key Takeaways:Implementing Federated SAML Claims in SPO-DSplit level authorizationTie Information Architecture and Security Plan togetherWatch out Items and Lessons LearnedChallenges and approaches
Enterprise & Identity
• Enterprises don’t wants to manage identities where they don’t control the identity lifecycle• Contractors are ok, Vendors, Partners are not• Not all Vendors / Partners capable of federation
• Various Authentication standards exist• OAUTH – Consumer Space• SAML – Enterprise Space
• Collaborative Applications pose considerable challenges
Identity and AuthN in the Enterprise
• Dual Authentication Mode• Internal folks use AD authN/windows claims, external folks use external SAML• User Prompt to select Authentication Type (Huh?)
• No Extensions allowed for Web App• User Profiles synch and cleanup for external
users• Product Limitations
• BI Stack on SP and external SAML tokens – don’t work• SP 2013 App Model – doesn’t work with external SAML tokens for SP Hosted Apps
• Logout/Login as different User• People Picker• Claims based Authorization
AuthN/AuthZ challenges with SP/SPO
• First customer to user “Partner Web App” in SPO-Dedicated
• Went 100% external SAML• Client’s corporate users now have 2 identities in SPO-D• One for team sites/mysites, and one for SAML Claims based Application
• Good reference Model for using Partner Web App
• Understanding of SPO customizations / limitations
• Good understanding of partitioning responsibilities• Customer ADFS vs. SPO
This Talk
Authentication
Requirements Logical Design Watch Out Items/Lessons Learned
How it Works?
Authentication Discussion PointsMain Topics
• Background• SPO-D supports Federated SAML 2.0 claims for Partner Access• Client has SAML 2.0 Claims Federation Infrastructure
• Requirements• Enable external partners access to SPO-D hosted Partner
Access application using Federated SAML claims security. • (1) Authentication/Authorization system across all enterprise
applications• Enable SSO across all client’s enterprise apps using single
authority store (using SAML claims or other means)• Support public 3rd party Authentication Providers (for e.g.
Windows Live, Facebook etc.) or partner’s (for e.g. Coca Cola) authority store
Background/Requirements
Logical Design
SPO-D External SAML Claims Integration
Client Environment
Client Environment(accessible via Internet)
SharePoint Online – Dedicate Platform
Client SPO-D Application
Active Directory(employees)
Access Management
Microsoft STS(adfs V2.0)
Global Authentication System
Authenticate
Authorization
Internet
Internet
Trust Relationship
Can be any Identity Solution which supports SAML 2.0For e.g. ADFS 2.0, SiteMinder, RSA FIM, Convisint etc
Can include Partner/Supplier Authentication Provider
Dom ain
Authentication Sequence
SPO-D External SAML Claims Integration
Client Environment
Client Environment(accessible via Internet)
SharePoint Online – Dedicate Platform
Client SPO-D Application
Active Directory(employees)
Access Management
Microsoft STS(adfs V2.0)
Global Authentication System
Authenticate
Authorization
Internet
Internet
Trust Relationship
Can be any Identity Solution which supports SAML 2.0For e.g. ADFS 2.0, SiteMinder, RSA FIM, Convisint etc
Can include Partner/Supplier Authentication Provider
Dom ain
Login Screen
Claims Sent
How it works?
Sequence Flow
BrowserMicrosoft STS
(SPO-D)SharePoint Online
DedicatedClient Authentication
System
HTTP Request to SharePoint
Request Login Page
Enter credentials
Client͛4s SAML Payload/Security Token
AD LegacyApplication
User Clicks on Application (authenticated by Client͛4s Authentication System) Link, HTTP Request, (Client͛4s Security Token)
AuthorizationManager
Validate
Client͛4s Login Page 3rd PartyAuth Provider
(Windows Live,Facebook,Coca Cola)
Re-direct to Microsoft STS
Re-direct to Client͛4s Authentication System
Validate
Client͛4s SAML Payload/Security Token
Microsoft STS SAML Payload/Security Token
Fed Auth
User Accesses SharePoint + Fed Auth
Re-direct to 3rd Party Auth Provider
3rd Party SAML Payload/Security Token
3rd Party SAML Payloal/Security Token
Client͛4s SAML Payload/Security Token
Client͛4s SAML Payload/Security Token
Microsoft STS SAML Payload/Security Token
Microsoft STS SAML Payload/Security Token
Microsoft STS SAML Payload/Security Token
Fed Auth
User Accesses SharePoint + Fed Auth
• Persisted FedAuth cookie across all SPO-D applications - potential risk in shared kiosk scenario
• SPO-D UPN default is Email Address (not Unique Id)• Inactivity Warning Message – potential loss of data• Custom Claims Provider/Augmentation• Master Page Updates
• Log out• "Sign in as Different User“
Watch Out Items/Lessons Learned
Select Authentication Mode
Watch Out Items/Lessons Learned
11 SPO-D Supported Claims & Profile UpdatesName Claim Type Multi-
valued?Required? Profile Updated?
UPN http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn No Yes No
Common Name http://schemas.xmlsoap.org/claims/CommonName No No Yes
Given Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
No No No
Job Title http://schemas.microsoftonline.com/federation/customclaims/JobTitle
No No Yes
Organization http://schemas.microsoftonline.com/federation/customclaims/Organization
No No Yes
Role http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Yes No No
SIP http://schemas.microsoftonline.com/federation/customclaims/SIP No No Yes
Surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname No No No
Work Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
No No Yes
Country http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country No No Yes
UserType http://schemas.microsoftonline.com/federation/customclaims/usertype
No No Yes
Note: Profile is updated only once using claim values
Watch Out Items/Lessons Learned…continued
SPO-D Profile Creation Process/Design Impacts
18
Impact on Displayed Profile Values
Profile Creation using Claim Values
SharePoint ServerMicrosoft STS
Profile Store
External Trusted Authentication System
Claim: Common Name ͛=John, S͛?
Profile: Display Name ͛=John, S͛?
HTTP Module
StorageProfile Timer Job
Watch Out Items/Lessons Learned…continued
Below role claim will not work
<saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims" a:OriginalIssuer="https://nafsstg.mcd.com/adfs/services/trust1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"> <saml:AttributeValue>REPUser,Rest195500280882User</saml:AttributeValue> </saml:Attribute>
For multi-valued claims to work, role claims needs to come as
<saml:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims" a:OriginalIssuer="https://nafsstg.mcd.com/adfs/services/trust1" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"> <saml:AttributeValue>REPUser</saml:AttributeValue> <saml:AttributeValue>Rest195500280882User</saml:AttributeValue> </saml:Attribute>
Multi-Valued Role Claim
Watch Out Items/Lessons Learned…continued
OOTB People Picker
Watch Out Items/Lessons Learned…continued
Authorization
Application Security Policies
Information and Authorization Scheme
Access to Functionality
SharePoint Groups and Claims-based Members
Authorization Discussion PointsMain Topics
Application Security PoliciesSplit Level Authorization
Business, application, information architecture, and functional access levels are distinct and split.
Establish where within your security architecture you can establish authorization, and at what level .
Identity and authorization stores are not typically application aware. Claims tend to established identity.
Establish a ‘realm’ that provides more than just authentication and identity .
Augment claims to establish authorization, at different levels .
Establish where within your security architecture you can augment claims, and for what level of access.
Application Security PoliciesOpportunities
Identity and authentication systems can augment claims within a realm, and can leverage back-end systems (consider customer readiness).
SharePoint supports allow and deny policies at the Web application level; establish allow and deny claims.
SharePoint supports a permissions mask at the Web application level; ensure you mask any unwanted permissions levels.
User Profile Application can synchronize user information; determine feasibility, plan strategy for claim augmentation (consider SPO supported claims).
SharePoint Groups and Claims MembersKey PointsClaims members are ‘or’ and not ‘and’.Claims members should define role as well as context.Consider claims roles as [Context]+[Role], Sites are then contextual.Consider automation for claims-based groups (human intervention is challenging).Consider adding human managed groups with matched permissions.Quirky user interface for people picker (without integration).
Access to FunctionalityLessons LearnedWorkflow assignments can be tricky (out of the box). Email address resolution (requires people picker integration). Notifications can be challenging.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.