Security Design with Claims-Based Authentication Israel Vega, Nathan Miller

OSP431

Session Objectives and Takeaways

Session Objective(s): Quick review of claims based authentication with SharePoint and AzureDiscuss common claims based security scenarios

AssumptionsYou understand claims, SAML and authentication protocolsYou have set up claims based authentication with SharePointYou understand ADFS and General Identity FederationBonus – You have built a SharePoint CCP

Agenda and Demos

Quick level-set of SharePoint claims and federationCommon Scenario

Demo: Authenticate AD Users via ADFS - ADFS/AD CCPMigrate from classic to claims

Code: Migrate a web application from classic to claimsFun with claims

Demo: Temporary File Sharing - TempShare CCPDemo: Profile Claims - Profile Claims CCP

Along the Way

General CCP and Planning GuidanceGeneral Tips and Tricks

SharePointFederation Gateway

OutIn

Securing with Claims & Getting Claimed

Transformation

Augmentation

OUTMapped Claims

INIncomin

g Claims

Augmentation

SP Security

ClaimType = Value

ClaimType = Value

Getting ClaimedSecuring with

Claims

Must Answer Questions for Planning

1. How will users be authenticated?2. How will users be authorized?3. Who will manage user accounts and provisioning?4. Is the ID enough for AuthZ or do I need more

information?5. Are multiple ID’s per user allowed?6. Do I really need a CCP and if so, which features?7. Do I really need a custom STS?

Fundamental Principles of SharePoint and Claims

If you don’t have it at authentication time, you can’t use it for authorizationKnow the difference between incoming claims vs. mapped claimsUser identity is determined by authentication method (by default)Public federation is not the same and private federationSP claim security rules are evaluated as “OR” not “AND”

Key Point: Federation relationships are based on trust

Trusted Identity Token Issuer

Claims Provider

What is a SharePoint Trusted Identity Token Issuer?

Claims Mappings

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://.../upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://.../nameidentifier" -IncomingClaimTypeDisplayName “NameId" –MappedClaimType “http://.../username”…$spTIp = New-SPTrustedIdentityTokenIssuer -Name “NAME" -Description “DESC" -Realm “REALM” -ClaimsMappings $map1 …"

Login

Claims Provider

What Do I Get With a Custom Claim Provider (CCP)?

Trusted Identity Token Issuer

Claims Mappings

Login

Claims Search

Claims Resolve

Claims Augmentation

SP Identity

People Picker

How Does it Fit Together?

Trusted Identity Token Issuer

Claim Providers

Encoded ClaimEncoded Claims

Custom CCP

OOTB Active Directory

SharePoint (*)

Incoming Mapped Claims

Associating a CCP to a Zone$webAppUrl = ""$webAppZone= ""$claimProviderName = ""

write-host "Getting the web application urls to configure"$altUrls = Get-SPAlternateURLwrite-host "Getting the claim provider"$claimProvider = Get-SPClaimProvider -Identity $claimProviderName

foreach($altUrl in $altUrls){ if ($altUrl.Zone -eq $webAppZone) {

$wa = Get-SPWebApplication $altUrl.PublicUrlwrite-host "Registering claim provider [$claimProviderName] for ["$webAppUrl"] on the zone

["$webAppZone"]"$waIISSettings = $wa.GetIisSettingsWithFallback($webAppZone)$waIISSettings.ClaimsProviders.Add($claimProvider)$wa.Update()

}} Stored as a collection with the

other SP Web App Settings for the Zone

A Bit About Claims Encoding

Farm SpecificCustom claim type encoding starts at Unicode 500Immutable List - once mapped, cannot un-mapValues are evaluated in lower case

Claim Encodings

DisplayName MappedClaimType Encoded String

Authentication method

http://.../authenticationmethod c:0ǹ.t|testadfs|authentication method

E-Mail Address http://schemas.xmlsoap.org/.../emailaddress

c:05.t|testadfs|e-mail address

Primary SID http://schemas.microsoft.com.../primarysid

c:0).t|testadfs|primary sid

Windows account name

http://.../windowsaccountname c:0ǻ.t|testadfs|windows account name

ASCII Decimal Code 504

ASCII Decimal Code 507

Reserved Claim Type

Reserved Claim Type

Reserved Claim Types and Identifiers'!' = SPClaimTypes.IdentityProvider '0' =

ClaimTypes.AuthorizationDecision '[' = ClaimTypes.PostalCode

'"' = SPClaimTypes.UserIdentifier '1' = ClaimTypes.Country '\\' = ClaimTypes.PPID'#' = SPClaimTypes.UserLogonName '2' = ClaimTypes.DateOfBirth ']' = ClaimTypes.Rsa'$' = SPClaimTypes.DistributionListClaimType '3' = ClaimTypes.DenyOnlySid '^' = ClaimTypes.Sid'%' = SPClaimTypes.FarmId '4' = ClaimTypes.Dns '_' = ClaimTypes.Spn

'&' ="http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitysid" '5' = ClaimTypes.Email '`' = ClaimTypes.StateOrProvince

'\'' ="http://schemas.microsoft.com/sharepoint/2009/08/claims/processidentitylogonname" '6' = ClaimTypes.Gender 'a' = ClaimTypes.StreetAddress

'(' = SPClaimTypes.IsAuthenticated '7' = ClaimTypes.GivenName 'b' = ClaimTypes.Surname

')' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" '8' = ClaimTypes.Hash 'c' = ClaimTypes.System

'*' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" '9' = ClaimTypes.HomePhone 'd' = ClaimTypes.Thumbprint

'+' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" '<' = ClaimTypes.Locality 'e' = ClaimTypes.Upn

'-' ="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" '=' = ClaimTypes.MobilePhone 'f' = ClaimTypes.Uri

'.' = ClaimTypes.Anonymous '>' = ClaimTypes.Name 'g' = ClaimTypes.Webpage

'/' = ClaimTypes.Authentication '?' = ClaimTypes.NameIdentifier 'h' =SPClaimTypes.ProviderUserKey

'@' = ClaimTypes.OtherPhone

The Scenario - ADFS AD Claim Provider

Use Active Directory to maintain user accounts but use ADFS to authenticateNeed to search and resolve users just like native SharePointMust work across forestsNeed to integrate with external partners using public and private federationNeed to block access to external users for certain data

Trusted Provider CCP Search CCP Resolve CCP Augmentation

Recipe – ADFS AD Claim Provider

1 Custom Claim Provider1 Secure Store2 Active Directories

2 SharePoint Sites1 ADFS

Internal

AD

External AD

Secure Store

ADFSTrusted Provider

Claim Provide

r

SharePoint

Secret Data

Super Secret Data

People Picker

Demo

Nephophobia (cloud fear, cloud phobia, fear of clouds, phobia of clouds)

ADFS/AD Claim Provider

The Scenario – Claims Migration

Existing SP 2007 or 2010 site is classic or FBAMoving to SAML with a custom CCP

From/To Classic Windows Claims

FBA SAML Claims

Classic Windows Claims

FBA SAML Claims

= Requires IMigrateUserCallBack

Today’s talk

Today’s talk

Today’s talk

Code Snippets

The penguin is the only bird who can swim, but cannot fly

Claims Migration Scenarios

Migrating from Classic to Windows Claims$webAppUrl = "http://yourWebAppUrl"

$adminAccount = “DOMAIN\ADMIN"

#Get the Web application$webApp = get-SPWebApplication $ webAppUrl Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default

#Re-Get the Web application$webApp = get-SPWebApplication $webAppUrl $adminClaim = New-SPClaimsPrincipal -identity $account -identitytype 1$adminClaimString = $adminClaim.ToEncodedString()

#Add the admin account to the web application policy$zp = $ webApp.ZonePolicies("Default") $p = $zp.Add($adminClaimString,“Admin Policy") $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") $p.PolicyRoleBindings.Add($fc) $wa.Update()

#Re-Get the Web application$webApp = get-SPWebApplication $webAppUrl

#Migrate the web application$wa.MigrateUsers($true)

Create an admin claim for myself

Let me in after the migration

Do the migration

Recipe –Custom Claims Migration

1 Custom Claim Provider(If SAML)1 Custom Class: IMigrateUserCallBack

2 SharePoint Web Apps1 Classic Content DBTime and Patience

Migrated

Content DB

Classic Web AppPermanent Web

App

Classic Content

DB1) Copy DB 4) Copy Migrated DB

2) Mount to “DUMMY” Web App

3) Migrate withIMigrateUserCallba

ck

Temporary Web App

Classic Content

DB

5) Mount to “REAL” Web App

Migrating from Classic to SAML Claims…See other slide - OMMITTED

#Migrate the web application#Pass the Fully qualified Assembly reference$wa.MigrateUsers(IMigrateUsersCallBackAssembly)

Do the migration but pass the assembly reference

Migrating User Accounts Using IMigrateUserCallBackUsing …

using Microsoft.SharePoint.Administration.Claims;

public class SAMLMigrationCallback : IMigrateUserCallback{

public string ConvertFromOldUser(string previousUserAccount, SPWebApplication.AuthenticationMethod previousAuthType, bool isGroup){ string newUserId = previousUserAccount; SPClaim migratedUserClaim = null; switch (previousAuthType) { case SPWebApplication.AuthenticationMethod.Windows: { migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup); break; } case SPWebApplication.AuthenticationMethod.Claims: { migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup); break; } case SPWebApplication.AuthenticationMethod.Forms: { //code for converting from Forms would be here break; } }if (migratedUserClaim != null) { newUserId = migratedUserClaim.ToEncodedString(); }

return newUserId ;}

}

SPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; return migratedClaim;}

SPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; //migrating from Windows claims to SAML claims return migratedClaim;}

Called for each User Account being migratedHelper

Functions

Migrating From Classic to SAML ClaimsSPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; SecurityIdentifier curSid = new SecurityIdentifier(previousUserAccount); //Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330 if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) || curSid.IsWellKnown(WellKnownSidType.LocalSystemSid)) { return migratedClaim; } else { if (isGroup) { string oldNtId = translateSidToName(previousUserAccount); if (oldNtId != null) { //Migrate Groups migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount); } } else { migratedClaim = generateUserIdClaimFromNtId(oldNtId); } } return migratedClaim;}

DO NOT MIGRATE NT AUTHORITY\Authenticated Users or LOCAL SYSTEM

Group SIDS vs Names ??

Migrating From Windows Claims to SAMLSPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup){ SPClaim migratedClaim = null; //Migrating from Windows claims to SAML claims - create a claim from the identifier so we can see if the original issuer came from Windows SPClaim idClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim);

//this is a Windows claims user, and we are going to convert to a SAML claims user ID format if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer)) { //windows claims users will be in the format domain\user windows claims groups will be in the SID format if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName)) { migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim); } else if (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid)) { //Group SID or Group Name??? migratedClaim = generateSAMLGroupClaim(idClaim.Value, SourceAccountType.WindowsClaim); } }

return migratedClaim;}

SPClaim generateSAMLClaimFromNtId(string winClaimId){ SPClaim migratedClaim = null; //Create the proper SAML ID Claim for the old windows claim user return migratedClaim;}

SPClaim generateSAMLGroupClaim(string groupClaim, bool isGroup){ SPClaim migratedClaim = null; //Create the proper SAML ID Group claim for the old windows claim group return migratedClaim;}

Helper Functions

Migration Notes

Imigrate userSome accounts should not migrated

Local system

Some accounts should be migrated to anonymousMust reconfigure the super user and search post migration

Logon as PortalSuperUser and PortalSuperReader at least once

Configuring the Publishing Cache Accounts

For Windows and SAML Claims, this must be configured for publishing sitesSet portalsuperuseraccount and portalsuperreaderaccount web application propertiesAlso configure the web app policy

Setting the Portal Super * Accounts$PortalSuperReader = “domain\portalsuperreader" $PortalSuperUser = “domain\portalsuperuser“

$wa = Get-SPWebApplication –Identity “<<web app URL>>“

$PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityType WindowsSamAccountName$PortalSuperUserClaim.ToEncodedString()

$wa.Properties["portalsuperuseraccount"] = $PortalSuperUserClaim.ToEncodedString()

$PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityType WindowsSamAccountName

$PortalSuperReaderClaim.ToEncodedString()$wa.Properties["portalsuperreaderaccount"] = $PortalSuperReaderClaim.ToEncodedString()

#Set the web application policies$SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), "PortalSuperReader")$SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullRead")) $SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), "PortalSuperUser")$SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullControl"))

#Update the web app$wa.Update()

#IISResetiisreset

Encoded Windows Claim (User Logon

Name)

Web Application Policy

Fun with Claims

Reindeers like to eat bananas

The value of Claims Based AuthN and AuthZ

The Scenario – Profile Claims

Wanted to make the user experience to add mapped claims easyRe-Use attributes about a user for securing content in SharePointDid not want to make adding a new claim a code deployment

Trusted Provider CCP Search CCP Resolve CCP Augmentation

Recipe – Profile Claims

1 Custom Claim Provider1 Profile Service

1 Profile Database1 SharePoint Site

It is possible to lead a cow upstairs but not upstairs

Profile Claim Provider

The Scenario – Temporary Sharing of Files with Federated Users

Share documents with external users regardless of authentication User May not have a user account in SharePointNeeded to provide secure access for a defined time periodSelf-Managing of user access

Trusted Provider CCP Search CCP Resolve CCP Augmentation

Architecture

Facebook

Google

PayPal

Sharing Token Claim

Expired

Recipe - Temporary Sharing of Files with Public Federation

1 Custom Claim Provider1 Custom Claim Generator1 Custom Database

2 SharePoint Sites2 Custom Web Parts1 Custom Ribbon Extension

Best With:• External ad-hoc collaboration with Partners or contractors• Public Federation with Trusted Users

Demo

The sentence "The quick brown fox jumps over a lazy dog." uses every letter of the alphabet!

TempShare Claim Provider

Building Custom Claim Providers - Hints

Good for providing search and resolve of identity informationHeads up

All claim providers fire several timesClaims are immutable (cannot change once issued)Incoming claims are not available at authentication time OOTB *

* http://blogs.technet.com/b/speschka/archive/2011/03/29/how-to-get-all-user-claims-at-claims-augmentation-time-in-sharepoint-2010.aspx

Building Custom Claim Providers – More Hints

Claims ProvidersEncoding, casing“Welcome email” support

Identity resolutionResponsible / not responsible

DebuggingDeployment

App Roles vs. Web Application vs. Central AdminCreate 2 separate WSP’s, Enable AutoActivateInCentralAdmin

In Review: Session Objectives and Takeaways

SharePoint, claims and federation (Recap)Fun with Claims

Demo – ADFS/AD Claims ProviderCode – Migration from classic to SAMLDemo – Profile Claims ProviderDemo – TempShare Claims Provider

General Tips and Tricks for Claims

Related Content

SIA204 | Cloudy Weather: How Secure Is the Cloud?SIA208 | Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAGSIA318 | Managing and Extending Active Directory Federation ServicesSIA403 | Troubleshooting Federation, ADFS, and MoreAZR78-HOL | Introduction to Access Control Service

SIA01-TLC | Microsoft Identity and Access

Find us later at: SharePoint TLC BoothAsk the Experts

Links

http://blogs.msdn.com/entdev - Demo code

http://blogs.technet.com/b/speschka/ - SharePoint CBA Resources

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.