This blog is intended to fill some gaps and provide a foundation to understand components in the claims model and how these components work together. Claims will provide a huge benefit which I will outline some of those benefits below. I suspect this will turn into a multi blog series so stay tuned for further blogs on this subject. The goal is providing a series of blogs starting from broad and getting more narrow in scope. As the scope is narrowed, a deeper technical progression will take place. SharePoint 2010 has a new approach to authentication\authorization. Instead of using the classic (Integrated) authentication method, it's possible to authenticate and authorize users against external Identity Providers. No longer, are we limited to directory repository's like Active Directory. In fact, it's possible to create custom identity providers and SharePoint will trust and leverage that Identity Provider thus granting external user access to a SharePoint site/document etc...
Special thanks goes to Venky for the knowledge transfer :)
Claims
An identity provider makes claims about a user. A good example of an identity provider is Live ID. So Live ID will claim to have attributes and their values. For Example:
Identity Provider "provider of the attributes" contains username attribute containing DanCan. A custom identity provider created by a hacker also contains an account with username attribute named DanCan. Both identity providers are making claims about a user. The consumer "SharePoint 2010" must choose which claim it's going to trust. SharePoint 2010 by itself will never trust either claim without being told to do so. In order for SharePoint to use a claim, it must first trust that claim which is setup by you the SharePoint administrator. If claims are trusted, then SharePoint can authenticate and authorize over that claim.
STS
STS is built on Geneva framework which is now called Windows Identity Foundation. The STS (Security Token Service) core responsibility is issuing, managing, and validating security tokens. An STS resides on both an identity provider and SharePoint. STS is built on top of the shared services framework which is why it's listed as a service application within Central Administrator\Manage Service Applications page:
Above, STS is composed of a web service and runs on every SharePoint server.
Authentication
The authentication type is setup at the Web Application level when creating a new SharePoint web application. It's possible to choose either classic authentication or Claims authentication. Each one is discussed below:
Classic
Active Directory authenticates a user, provides an NT Token. The token is used to authenticate to SharePoint. SharePoint consumes that token and it's converted into an SPUser object for authorization.
Note: Authorization is the process of determining what level of access an authenticated user has to a secured resource such as a Site, Document library etc.. The authorization mechanism hasn't changed in SharePoint 2010 and we ultimately still use an SPUser object to authorize.
After a trust is established between SharePoint and an Identity provider, web applications can be set with Claims authentication type instead of classic. If a client attempts to authenticate to a claims aware web application, SharePoint redirects a client to the associated trusted identity provider. The identity provider authenticates clients and provides a security token. That token could be either of the following:
· NT Token
· SAML Token
This security token is this passed to SharePoint STS. In short, the STS will validate the token "Claims Based Identity" and generate a new security "SAML" token back to the client. This token is generated by SharePoint and for SharePoint. The client sends this SAML token to SharePoint to prove that he/she is officially authenticated. SharePoint validates and authenticates user and an SPUser object is created and is used for authorization.
Steps for Claims Sign-In:
1. Client hit SharePoint site via HTTP (Get)2. SharePoint redirects client to Identity Provider in order to get a security token3. Client attempts to authenticate to trusted Identity Provider4. The identity provider's (Security Token Service) will validate the username and password and provide a security token to a client.
Note: A security token could be a Windows NT Token, SAML token, or FBA token
5. The client has a security token (authenticated) and submits it to SharePoint STS "Security Token Service"6. SharePoint STS receives security token from client and determines if we trust the issuer of that token "Identity Provider"7. STS then performs claims augmentation8. STS issues client new SAML token 9. Client request resource "site" with new SAML token 10. SharePoint consumes SAML token, "validates authentication successful", and builds an SPUser object in order to authorize to the secured resource
Mixed Authentication
In SharePoint 2007, to use additional authentication provider, you had to extend the web application and drop it in a different zone so it would contain a different URL. SharePoint 2007 wasn't flexible in terms of specifying multiple authentication types in a single un-extended web application.
Multi Authentication
In SharePoint 2010, it's possible to configure multiple authentication types for a single web application. This provides 2 benefits:
1. No longer required to extend web-application for the purpose of adding additional authentication types
2. Can have a single web application use multiple authentication types which provides the ability to serve a single URL!
Note: You can still extend web-applications and assign one or more authentication types to it if a business justification calls for that.
FBA
FBA users no longer uses an ASP.Net identity. FBA is now claims aware and the SharePoint STS facilitates the authentication process. Once user is authenticated, the SharePoint STS provides a SAML token to the client.
Note: When creating a web application designated for FBA, you must specify claims authentication type.
STS (federated equivalent of a domain controller) "issues tokens"
Basic FBA Sign-in process:
1. User signs in via FBA with credentials2. SharePoint STS calls membership provider to authenticate3. SharePoint STS calls role provider to get all the roles for the user4. Post successful authentication, a SAML token is generated by the SharePoint STS and passed back to the user5. The user then authenticates to SharePoint with SAML token and authentication is officially completed
For setup steps, please see my blog for more details.
How Claims works with Services
Accessing Internal Services
Within a Single Farm:
The classic example is a user performing a search. The WFE's (Server1) search web part talks to service application proxy. The associated search service application proxy calls the local STS to get a SAML token for the user. Once SAML token is collected, the search service application proxy then calls a server running the Query Processor via WCF call. I'll call this server, "Server 2". Server 2 receives the incoming request and validates the SAML token against its local STS. Once validated, Server 2 connects to various components to gather, merge, and security trims search results. Server 2 sends the trimmed search results back to Server 1 which are then presented to the user.
Accessing External Services
SharePoint 2010 STS can manipulate a SAML token in order to present it to an external web service. The way it presents the identity depends on the type of external web service. The goal is preventing the additional prompt for credentials so that a full Single Sign-On (SSO) experience is possible. The STS is comprised of the WIF "Windows Identity Framework" and also the C2WTS. Each component is used dependent upon the type of external service accessed.
C2WTS = Claims to Windows Token Service
If accessing a native windows application that expects a Kerberos ticket. Within SharePoint STS, we use C2WTS to use existing SAML token in order to create a windows token (Kerberos ticket) to authenticate.
http://msdn.microsoft.com/en-us/library/ee517278.aspx
SharePoint STS
Can be used to just issue SAML token to pass to external systems that support SAML tokens
Secure Store Service
SharePoint can be used to connect to a legacy LOB systems which requires credentials. (SSS) Captures credentials and uses them on web service call to login and go inside.
http://msdn.microsoft.com/en-us/library/ee557754.aspx
Thanks,
Russ Maxwell, MSFT
Hi Russ,
Can I consume Out of box STS of SharePoint 2010 from external System (a Claim Aware Web Application)?
Pradeep, I believe your asking the following:
Question: Can I use SharePoint 2010 STS as an identity provider?
Answer: I believe the answer is no because for sign-in the SharePoint STS depends on an identity provider if claims is specified. Therefore, SharePoint 2010 STS by itself cannot fulfill this requests..
make sense?
Russmax, MSFT
HI Russ,
How can I use Windows Live ID as an STS for claims based authentication? Can you give me the detail steps? I have been unable to configure LIVE ID STS with claims SharePoint 2010 site.
Thanks, Himani
Thanks RuSS
I hava another and very important Q. I have a custom WCF service hosted in _vti_vin. Then I have a web application
http://myserver:1234/ which is claim based web application.
Ok, so now If I call my custom WCF Service like http://myserver:1234/_vti_bin/customservice.svc
Question: Do I need claim to call this service?
You might be interested in a module Orbit One is sharing on it's website:
www.orbitone.com/.../SharePoint2010automaticsignin.aspx
You get automatic selection of the right authentication provider based on IP address mapping.
When using Windows Authentication for an intranet environment this brings back transparent authentication based on the Windows credentials.
Transparent sign-in with Windows Authentication, when using multiple authentication providers. No more '
* Support for IPv6
* Map IP addresses to an authentication provider
* Wildcard mapping
* Configuration through Powershell
The solution consists of two parts:
* A custom PowerShell snap-in that is used to manage the mappings between IP addresses and authentication providers. The mapping is stored in the Hierarchical Object Store, on the level of the Web Application.
* A custom sign-in page. When the custom sign-in page is loaded it will first check the IP address of the user. Then it will check if the address is mapped to an authentication provider. If it is mapped, the user will be redirected to the sign-in page of that provider. In other words, if the mapping is found the “Select the credentials you want to use to logon to the SharePoint site” step of the sign in process is automated.
I've set up a SharePoint list with a workflow that updates an External Content Type, but the workflow is failing with an access denied error when it goes to execute the 'Read List' of the ECT. The error even states that both of my domain accounts have permission, but the account SharePoint identifies as trying to perform the workflow is denied and appears slightly different though all of the account references are the same Active Directory username and password.
Does error log entry this yield any clues at to what is the source of the problem?
09/22/2010 15:42:25.27 w3wp.exe (0x1F8C) 0x1CF4 Business Connectivity Services Business Data g0jq High
Access Denied for User '0#.w|mybusinessdomain\ewmccarty', which may be an impersonation by 'MYBUSINESSDOMAIN\SP2010SA'. Securable MethodInstance with Name 'Read List' has ACL that contains:
User 'i:0#.w|mybusinessdomain\ewmccarty' with Display Name 'Erik W. McCarty' with Rights 'Execute, Edit, SetPermissions, SelectableInClients'
User 'i:0#.w|mybusinessdomain\emccarty' with Display Name 'Erik McCarty' with Rights 'Execute, Edit, SetPermissions, SelectableInClients'
05275adc-2ec6-4949-9528-c94908830f6c
Can clams be used to authenticate users from two entirely different AD forests? without ADFS or a trust?
Russ,
Do you have any info about integrating SharePoint with Oracle Access Manager? Wondering how the new claims auth works with this in 2010. Everything I see is related to 2007 and FBA. Thanks!
I had enabled claims Authentication and configured Forms Based Authentication (FBA) with membership provider in SharePoint 2010.
The logged-on user is kicked out when the page is redirected from https to http.
FedAuth cookie is not valid after redirecting from https to http.
Does anyone have any suggestions?
Hi Himani,
Check this out, it about how SharePoint 2010 connect to App Fabric Access Control v2.
blogs.msdn.com/.../understanding-sharepoint-2010-claims-authentication.aspx
Check this out, it's about how SharePoint 2010 connect to App Fabric Access Control v2.
So basically FBA now goes through the SP2010 claims system? The only issue is that the SPClaimsAuthMembershipProvider doesn't implement GetUser(string,bool) which makes it quite difficult to use a lot of FBA solutions like password reset etc. The MSDN documentation claims it is implemented but any attempt to use it results in a NotImplementedException.
Hi Russ. One short question: can i do claims augmentation with a custom claims provider on integrated NTLM Windows Authentication? Thanks.
Very well written Russ. You paint a clear picture!