Chapter 9 – Claims-based Authentication

Wrox Professional Sharepoint 2010 Admin – Page 227

Claims-based authentication – new to SP 2010. (CBA) based on concept of [identity] and utilize open source standards/protocols so it works with any corporate identity system, not just AD and not just windows-based system.

identity is represented by a [security token]. CBA provides a trust-based system between application, and a centralized provider that issues the token. The app trust the user because they trust the provider.

Claims-Based Identity —

Provides a common way for applications to acquire identity information from users, irrespective of whether they are insode the organization, in other organization, or on the internet. Identity informationis stored in a security token, or token. It contains one or more [claims] about the user. (Think of a claim as a metadata about the user and statys with them throughout their enterprise journey), it could include username, manager’s name, address, email etc.

Implementing Claims-based Identity generally requires these:

(1) Windows Identity Fooundation (WIF) – formerly called Geneva Framework — is part of SP 2010 pre-requsite and automatically installed
(2) Active Directory Federated Service 2.0 (ADFS)
(3) CardSpace 2.0

* WFI is a set of API’s that can be used by developers to build Claims enabled your app; to create custom security token services. Enable an enterprise to use a single identity model so that app can communicate using industry standards.

* ADFS – formerly called Geneva server – provide (1) Identity federation and (2) Single Sign-on (SSO). ADFS is a Security Toekn Service (STS), responsible for issuing security tokens. It uses AD as identity store; and ldap, sql OR A CUSTOM STORE AS ATTRIBUTE STORE. ADFS 2.0 SUPPORTS BOTH ACTIVE (WS-Trust) and passive (WS-Federation and SAML 2.0)

* Windows CardSpace 2.0 – formerly [InfoCard] – is an identity selector technology that can replace usrenames and passwords that you use to register or logon to web sites. CardSpace stores users’ digital identities, and represent the identity info in visual Informatrion Cards.

Using CBA —

Key components – tokens, claims, identity providers an Security Token service (STS).

Typical scenario – a user attempting to access an web app —

1. A web browser request a token from an STS on behalf of the user. Request is made using WS-Trust, a standard protocol for web service communication. The request tyocally include (1) name of the user and (2) the identity that describe the application.

2. STS performs an information lookup and verification. Once verified, STS sends a token, which is returned to the requestor. STS’s authority to issue tokens has been granted by some identity provider, which is alos called an issuer.

3. Browser sends the token to the desired web app, which gets the token and the required claims. The app uses and trusts the claims because it trusts the identity provider (repying party). The app verifies the token signature, confirming it originated from a trusted STS, the claims are accepted and the information is used for authorization. The app can focus on authorization.

SP 2010 includes STS and WIF to claims-enable web apps,so Sharepoint can use CBA. To broaden support, install ADFS 2.0 to federate to other organizations outside the hosting organization.

ADFS 2.0 implements and STS and generate SAML token in response to WS-Trust requests. Also, ADFS supports web browses, and other such as Office Desktop clients and WCF.

ADFS 2.0 is not required to use CBA.

Terms —

Token – contains claims about a user and digital signature. The service that issues the token digitally signs the token in order to verify the issuer and guard against unauthorized claim changes.
Claim – any piece of information that describe a characteristic about the user.
Security token service (STS) – creates and issues tokens. STS is a web service that issues tokens as defined by the WS-Trust security standard.
Secure Store Service – SSS is a claims-aware service that’s responsible for decrypting the token issued by STS to access the app ID, and retrieve credentials from the secure store database, The credentials are then used to authorize access to resources.
WS-Trust – open source standard that defines the concept of an STS, and the issuing, renewing and validating of security tokens.
Identity provider – org that backs the STS and ensures that the claims are authentic.
Relying party – application that accpets and uses a token is referred t as a replying party.
SAML – open source XML standard for communicating and executing identity information, authentication and authorization data between different orgs. SAM provides internet SSO for orgs who want to securely connect to Internet apps that exists both inside and outside of the firewall.

Sharepoint authtication options —

Sharepoint supports both CBA (Claims-based Authentication) and CMA (class mode authentication). When you create a new web application, you can choose between CBA and CMA.

SP 2010 is represneted by three logical layers or tiersL WFE, Application Server and backend database.

If you use Form-Based Authentication (FBA) or SAML, you will need to use CBA. Else, using Class mode is preferred.

Classic Mode Authentication –

Referes to the [Integrated Windows Authentication].
Three different windows authentication methods include: (1) Anonymous (2) Basic (3) Digest (4) Certificate (5) NTLM (6) Keberos

Claims-Based —

SP 2010 CBA enables authenticating using Windows Integrated security and non-Windows System. Any providers that meets specific internet security standards can be used as providers. The standards include – WS-Security, WS-SecurityPolicy, WS-Trust and WS-Federation.

CBA supports three propocols : (1) Windows Authentication (same as CMA) (2) Form-Based Authentication (FBA), including LDAP, database or custom membership and role provider and (3) SAML
, which ncludes ADFS 2.0, Windows Live ID and Third Party providers.

Creating claims-based application – (need to allow anonymous access, and add FBA to the app, to allow dual authentication configuration)

>> In the new web application, select Claims-Based Authentication

To verify that the web is CBA:

Then create a new site collection (top-level site) in the new web app.

Configuring Anonymous access for your CBA web application-

1. Central Admin Application Management Management Web Applications
2. Select web app, click Authentication Providers , click Default from the pop-up windows.
3. Check Enable anonymous access.

Return to the web applicatin page, click Anonymous Policy button.

In the window: (should be default)

Browse to the site collection, Site Settings Sit Permissions Users and Permissions, click Anonymous Access.

Select [entire web site] or [lists ad libraries].

Once done, the anonymous usr is added to the permission users list.


Converting to CBA from CMA —

Once you convert the web app to use CBA, you cannot return to CMA!!!!!!!

Use these powershell:
$ConvertApp = get-spwebapplication “http://<web application name>”

$ConvertApp.useclaimsauthentication = “True”

Configuring Form-Based Authentication (FBA) —

Enable FBA for the existing CBA website, so both integrated Windows Authentication and FBA are both used —

Using FBA – meaning you’re using .NET membership API

If you select FBA, you need to provide the Membership/Role provider name (and create related databases using the command aspnet_regsql.exe etc.)

Next, install Membership Database using aspnet_regsql.exe. And add a new users/roles (use MembershipSeeder)

Then you need to modify 3 different web.config files. (type inetmgr to launch the IIS Manager)

(1) Add the connection string to the CBA web app’s web.config file.


<add name=”SQLConnectionString” connectionString=”data source=SQL;

Integrated Security=SSPI;Initial Catalog=aspnetdb” />

Also, in the same web.config file, add the Membership and Role provider info. (same as Helpdesk)

(2) Modify the Central Administration’s web.config file –

Add the same SQL connection string as in Step 1. Add membership and Role manager info. (Page 242)

(3) Update the web.config in the STS. Expand Sharepoint Web Service web site in IIS Manager and select [SecurityTokenserviceApplication] site. (P. 243)

Insert SQL Connection string, and add info about the Role/Mambership managers.

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: