Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Jean Marie THIA SAML 2.0 @ WORK WITH SHAREPOINT, OWA, … TF-EMC2 | Lyon - France | February 2011 Agenda • • • • 1 - Demonstrations 2 - Explanations 3 - Story Questions 1 : Authentication • Connect to a web application • Connect to Sharepoint • Connect to Outlook Web Access 1 : SharePoint authZ • A MS Word use case – From the desktop – From SharePoint • Set authorization in SharePoint Explanations 2 : SharePoint ADFS 2.0 SAML 2.0 SharePoint STS WS Fed. 2 : Outlook Web Access SAML 2.0 ADFS 2.0 Mapping C2WTS Kerberos 2 : ADFS manipulation • Map shibboleth attribute • Map OWA user Story Claim based access control microsoft.identityModel 3 : WIF • Core claims API (microsoft.identityModel) • SAML Token • WS Federation protocol • SAML 2.0 protocol with Safewhere http://safewhere.net/products/saml-20-for-wif.aspx 3 : WIF compatibility • IsInRole works ( web.config declaration ) 3 : WIF programming IClaimsIdentity id =((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0]; // you can use a simple foreach loop to find a claim... string usersEmail = null; foreach (Claim c in id.Claims) { if (c.ClaimType == System.IdentityModel.Claims.ClaimTypes.Email) { UsersEmail = c.Value; break; } } // you can also use LINQ to find a claim string usersFirstName = (from c in id.Claims where c.ClaimType == System.IdentityModel.Claims.ClaimTypes.GivenName select c).First().Value; 3 : ADFS 2.0 • Uses SAML 2.0 Protocol – Liberty alliance IdP Lite – Liberty alliance SP Lite – eGov SAML 2.0 Profile v1.5 • Uses WS-* Protocol • Interoperate with Oracle, CA, SUN, Shibboleth, PingIdentity, … • Is a separate download ! 3 : ADFS 2.0 architecture Account & Attribute Stores Configuration Database 3 : Terminologies AD FS 2.0 SAML 2.0 Security Token Assertion Claims Assertion Attributes Claims Provider Identity Provider Relying Party Service Provider Realm Home Discovery (RHD) Security Token Service (STS) 3 : Azure ACS • ADFS for the cloud • Extended interoperability (Oauth, openID, google, facebook, etc.) Conclusion • + – Many guides. – AuthZ with claims augmentation. – Claims compatibility with old code. • – Federation metadata ADFS v2 - Guides • Sharepoint 2010 Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx • Outlook Web Access 2010 Exposing OWA 2010 with AD FS 2.0 to other organizations http://www.microsoft.com/france/interop/ressources/documents.aspx • In Common AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx Webcast • Architecting claims-aware application http://www.msteched.com/2010/Europe/ARC303 • From N to Z: Authentication and Authorization in Microsoft SharePoint Server 2010 http://www.msteched.com/2010/NorthAmerica/OSP311 • Developing Microsoft SharePoint Server 2010 Solutions with Claims Authentication http://www.msteched.com/2010/NorthAmerica/OSP306 • http://channel9.msdn.com/ Links at Microsoft • Patterns & Practices A guide to claims-based to Identity and Access Control http://msdn.microsoft.com/en-us/library/ff423674.aspx • MSDN WIF : http://msdn.microsoft.com/en-us/library/ee748484.aspx C2WTS : http://msdn.microsoft.com/en-us/library/ee517278.aspx IdM : http://msdn.microsoft.com/en-us/security/aa570351.aspx • ADFS 2.0 on Technet http://technet.microsoft.com/en-us/library/adfs2(v=WS.10).aspx Questions ? [email protected] twitter.com/jm_thia Thanks for your attention