Sample of Application Form for Authentication by isv83176

VIEWS: 0 PAGES: 65

More Info
									Facebook
LinkedIn
Twitter
Spaces
TechNet
• What is Identity?




• What is a Claim?
              Name
 Claim
                Age
 Claim
            Location
 Claim

 Claim

Signature
claims   claims
http://sharepoint.contoso.com
Classic   Claims
                                                                          Trust




                                3
                                                                                                                                              SharePoint




                                     A
                                      ut
                                        he
                                         nt
                                           ic
                                4



                                             at
                                               io
        Identity Provider


                                    S




                                                   n
                                     ec




                                                    R
     Security Token Service


                                       ur




                                                       eq
                                       ity




                                                        ue
            (IP-STS)



                                            to




                                                            st
                                               k
                                              en
                                                                               5   Service token request                                                 Claims
                                                                                                                                                        Providers
                                                                               6   Security token response
                                                                                                                                 SharePoint
                    ASP.net                                      Client              1
Active Directory                                                                          Requ                                     STS          Trust
                   Membership                                                                     e st R
                                                                                                         eso   urce
                                                                           2   Auth
                                                                                    en   ticate
                                                                                                  Requ
                                                                                                         est/R                                 SharePoint
                                                                                                                 e d i re
       LiveID       SAML                                                                                                    ct                Authorization
                    Based
                                                                                    7 Request Resource with
                                                                                      service token
Classic Mode
Claims Mode
Mixed Authentication                                                     Multi-Authentication
      SharePoint                                                               SharePoint
      Farm                                                                     Farm




          Web Application                                                          Web Application
                                                Windows                                                                  Windows Authentication
                       Zone: Default            Authentication                                  Zone: Default
                                                                                Regular label-callout text               FBA Authentication


                   Extended Web Application                                                 Extended Web Application
                               Zone: Extranet           FBA                                             Zone: Extranet          SAML Based Authentication
                                                        Authentication                                                          FBA Authentication


                   Extended Web Application                                                 Extended Web Application
                               Zone: Intranet            ...                                            Zone: Intranet           Windows Authentication



                   Extended Web Application                                                 Extended Web Application
                               Zone: Internet            ...                                            Zone: Internet           ...
                   Extended Web Application                                                 Extended Web Application
                                Zone: Custom             ...                                             Zone: Custom            ...
               SharePoint                                        LOB




                                               Trust
                                      SP STS
                              2                                    5
Virtual List        1
  WebPart                         3                                         LOB /
                7                                                        Data Source
                                                   4
                                                       6
                                                           Web Service
                        BCS
                                                           Internet




Trust                                                     Trust

                                                                                 Enterperise
                                                                                 STS

                                             Enterprise                                 6
        Virtual List           1
                                         3   STS              4
          WebPart                                                                                 LOB /
                           8                                                                   Data Source
                                                                      5
                       2
                                                                          7     WCF
           SP STS
                                                                              Web Service
                                   BCS
using System;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using Microsoft.IdentityModel.Claims;
namespace ClaimsViewerTest.VisualWebPart1
{
    public partial class VisualWebPart1UserControl : UserControl
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            IClaimsPrincipal claimsPrincipal = Page.User as IClaimsPrincipal;
            IClaimsIdentity claimsIdentity = (IClaimsIdentity)claimsPrincipal.Identity;
            GridView1.DataSource = claimsIdentity.Claims;
            Page.DataBind();
        }
    }
}
$cert = New-Object
   System.Security.Cryptography.X509Certificates.X509Certificate2
   ("c:\[name_of_cert].cer")

  $map1 = New-SPClaimTypeMapping
  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailadd
  ress
  -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
  $realm = "urn:" + $env:ComputerName + ":adfs"
  $signinurl = "https://[YOUR_SERVER_NAME]/adfs/ls/"
  $ap = New-SPTrustedIdentityTokenIssuer -Name "ADFS20Server" -
  Description "ADFS 2.0 Federated Server" -Realm
  $realm -ImportTrustCertificate
  $cert -ClaimsMappings
  $map1 -SignInUrl
  $signinurl -IdentifierClaim
  $map1.InputClaimType
“Root of Certificate Chain is Not Trusted Root Authority
Authentication method   Advantages and recommendations                Tradeoffs

                        •Authenticate by using your existing Active
                        Directory accounts.

                        •Simplify user management.
                                                                      Some IIS authentication protocols are not
                        •Take advantage of Active Directory groups    supported by all Web browsers.
Windows Classic         when configuring SharePoint Server 2010
                        authorization.

                        •Avoid writing custom code.
Authentication method   Advantages and recommendations                Tradeoffs


                        Claims authentication is implemented
                        assertions that are encapsulated in           Configuration and management
                        security tokens that determine if a user is
                                                                      requires additional planning and
Claims                  permitted to access resources. They can
                        be a user name, a role, employee ID, etc.     training.
                        to determine authorization and
                        permission levels.
Authentication method        Advantages and recommendations                  Tradeoffs

                             •Set up SharePoint Server 2010 in an
                             environment that does not use AD DS (does not
                             require Windows accounts).
                                                                             •Requires customization of the Web.config file.
                             •Authenticate against two or more different
                             identity management systems when creating
                             partner applications.                           •Subject to replay attacks for the lifetime of the
Forms-based authentication                                                   cookie, unless using SSL Transport Layer
                             •Implement a custom authentication scheme       Security (TLS).
                             using arbitrary criteria.

                             •Authenticate users coming from the Internet.
Mode
Windows Classic
Anonymous
FBA Claims
Windows Classic + FBA Claims
Anonymous + FBA Claims
SAML Claims
Windows Claims
Windows Claims + FBA Claims
        #SPIdentity
         SharePoint Server 2010 Beta

                                               SharePoint Server 2010 IT
Professional Evaluation Guide
                Plan Authentication Methods (SharePoint Server 2010) on TechNet
                Configure Forms-based Authentication for a Claims-based Web
Application
                Configure the Security Token Service
            SharePoint and Claims-based Identity
                    A Guide to Claims-Based Identity and Access Control
                    Claims-Based Identity for Windows
Setting up a lab environment with ADFS
     ADFS Resource Center
http://sharepoint.microsoft.com
        http://msdn.microsoft.com/sharepoint
 http://technet.microsoft.com/sharepoint
        http://blogs.msdn.com/sharepoint
www.microsoft.com/teched       www.microsoft.com/learning




http://microsoft.com/technet   http://microsoft.com/msdn
    Sign up for Tech·Ed 2011 and save $500
           starting June 8 – June 31st
http://northamerica.msteched.com/registration




             You can also register at the
    North America 2011 kiosk located at registration
             Join us in Atlanta next year
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname




http://www.w3.org/2001/XMLSchema#string
Create a SPAuthenticationProvider as ASP.NET Membership Provider and
   Web Application

$provider = New-SPAuthenticationProvider -
  ASPNETMembershipProvider "LdapMember" -
  ASPNETRoleProviderName "LdapRole“
$webApp = New-SPWebApplication -Name "Claims" -
  ApplicationPool "Claims Application Pool" -
  ApplicationPoolAccount "CONTOSO\administrator"
  -Url http://claims.contoso.com -Port 80 -
  AuthenticationProvider $provider
Create a new SPClaimsPrinciple and Site Collection

$principal = New-SPClaimsPrincipal -Identity
  "membership:SiteOwner" -IdentityType FormsUser
$site = New-SPSite http://servername:port -OwnerAlias
  $principle.ToEncodedString() -Template "STS#0"

								
To top