• • • • • • • • • • • • • • • • • • • • • • • • • • A G U I D E T O C L A I M S - B A S E D I D E N T I T Y A N D A C C E S S C O N T R O L Authentication and Authorization for Services and the Web Dominick Baier Vittorio Bertocci Keith Brown Scott Densmore Eugenio Pace Matias Woloski Second Edition - Claims-Based Identity and Access Control Authentication and Authorization for Services and the Web patterns & practices Microsoft Corporation This document is provided “as-is.” Information and views expressed in this document, including URLs and other Internet website references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. ©2011 Microsoft. All rights reserved. Microsoft, Active Directory, MSDN, SharePoint, SQL Server, Visual Studio, Windows, Windows Azure, Windows Live, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are the property of their respective owners. Contents Kim Cameron Stuart Kwan Steve Peschka Who This Book Is For Why This Book Is Pertinent Now A Note about Terminology How This Book Is Structured About the Technologies What You Need to Use the Code Application Server ADFS Active Directory Client Computer Who’s Who A I C What Do Claims Provide? Not Every System Needs Claims Claims Simplify Authentication Logic A Familiar Example What Makes a Good Claim? Understanding Issuers ADFS as an Issuer External Issuers User Anonymity Implementing Claims-Based Identity Step 1: Add Logic to Your Applications to Support Claims Step 2: Acquire or Build an Issuer Step 3: Configure Your Application to Trust the Issuer Step 4: Configure the Issuer to Know about the Application A Summary of Benefits Moving On Questions C-B A A Closer Look at Claims-Based Architectures Browser-Based Applications Understanding the Sequence of Steps Optimizing Performance Smart Clients SharePoint Applications and SharePoint BCS Federating Identity across Realms The Benefits of Cross-Realm Identity How Federated Identity Works Federated Identity with ACS Understanding the Sequence of Steps Combining ACS and ADFS Identity Transformation Home Realm Discovery Design Considerations for Claims-Based Applications What Makes a Good Claim? How Can You Uniquely Distinguish One User from Another? How Can You Get a List of All Possible Users and All Possible Claims? Where Should Claims Be Issued? What Technologies Do Claims and Tokens Use? Questions C- S S- W W A The Premise Goals and Requirements Overview of the Solution Inside the Implementation a-Expense before Claims a-Expense with Claims a-Order before Claims a-Order with Claims Signing out of an Application Setup and Physical Deployment Using a Mock Issuer Isolating Active Directory Handling Single Sign-out in the Mock Issuer Converting to a Production Issuer Enabling Internet Access Variation—Moving to Windows Azure Questions More Information F I W A The Premise Goals and Requirements Overview of the Solution Benefits and Limitations Inside the Implementation Setup and Physical Deployment Using Mock Issuers for Development and Testing Establishing Trust Relationships Questions More Information F I W A A C S The Premise Goals and Requirements Overview of the Solution Example of a Customer with its Own Identity Provider Example of a Customer Using a Social Identity Trust Relationships with Social Identity Providers Description of Mapping Rules in a Federation Provider Alternative Solutions Inside the Implementation Setup and Physical Deployment Establishing a Trust Relationship with ACS Reporting Errors from ACS Initializing ACS Working with Social Identity Providers Managing Users with Social Identities Working with Windows Live IDs Working with Facebook Questions More Information F I M P The Premise Goals and Requirements Overview of the Solution Step 1: Present Credentials to the Identity Provider Step 2: Transmit the Identity Provider’s Security Token to the Federation Provider Step 3: Map the Claims Step 4: Transmit the Mapped Claims and Perform the Requested Action Using Claims in Fabrikam Shipping Inside the Implementation Setup and Physical Deployment Establishing the Trust Relationship Organization Section Issuer Section Certificate Section User-Configurable Claims Transformation Rules Questions F I M P W A A C S The Premise Goals and Requirements Overview of the Solution Step 1: Present Credentials to the Identity Provider Step 2: Transmit the Identity Provider’s Security Token to the Federation Provider Step 3: Map the Claims Step 4: Transmit the Mapped Claims and Perform the Requested Action Step 1: Present Credentials to the Identity Provider Step 2: Transmit the Social Identity Provider’s Security Token to ACS Step 3: Map the Claims Step 4: Transmit the Mapped Claims and Perform the Requested Action Enrolling a New Partner Organization Managing Multiple Partners with a Single Identity Managing Users at a Partner Organization Inside the Implementation Getting a List of Identity Providers from ACS Adding a New Identity Provider to ACS Managing Claims-Mapping Rules in ACS Displaying a List of Partner Organizations Authenticating a User of Fabrikam Shipping Authorizing Access to Fabrikam Shipping Data [...]... An Introduction to Claims Claims -Based Architectures Claims- Based Single Sign-On for the Web Claims- Based Single Sign-On for SharePoint Single Sign-On in Windows Azure Federated Identity for Web Applications Federated Identity with Windows Azure Access Control Service Federated Identity with Multiple Partners Federated Identity with Multiple Partners and ACS Securing REST Services Claims Enabling Web... REST Services from a Windows Phone Device shows how you can use claims- based techniques with Windows Phone™ wireless devices It discusses the additional considerations that you must take into account when using claims- based authentication with mobile devices Claims- Based Single Sign-On for Microsoft SharePoint 2010 begins a path that explores how you can use claims- based identity techniques with Microsoft... authentication, forms -based authentication in a web browser, an X.509 client certificate, or something more exotic Even if someone in charge of your company’s security policy changes how users authenticate, you still get the information, and it’s always in the same format This is the utopia of claims- based identity that A Guide to ClaimsBased Identity and Access Control describes As you’ll see, claims provide... of a Claims- Based Architecture Windows Identity Foundation Implementation of the Claims- Based Architecture SharePoint 2010 User Identity The SharePoint 2010 Security Token Service The SharePoint 2010 Services Application Framework Considerations When Using Claims with SharePoint Choosing an Authentication Mode Supported Standards Using Multiple Authentication Mechanisms SharePoint Groups with Claims. .. shows you how to use the claims- based approach with web services, whereby a partner uses a smart client that communicates with identity providers and token issuers using SOAP -based services Securing REST Services shows how to use the claims- based approach with web services, whereby a partner uses a smart client that communicates with identity providers and token issuers using REST -based services Accessing... with Claims Authentication Rich Client, Office, and Reporting Applications with Claims Authentication Other Trade-offs and Limitations for Claims Authentication Configuring SharePoint to Use Claims Tips for Configuring Claims in SharePoint More Information 313 313 315 316 317 318 319 319 319 320 320 321 321 322 324 325 326 glossary 327 answers to questions 337 index 365 Foreword Claims- based identity. .. information to evaluate claims- based identity as a possible option when you’re planning a new application or making changes to an existing one It is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates web applications and services that require identity information about their users Although applications that use claimsbased identity exist on... of the book Federated Identity for SharePoint Applications preface An Introduction to Claims explains what a claim is and provides general rules on what makes good claims and how to incorporate them into your application It’s probably a good idea that you read this chapter before you move on to the scenarios Claims- Based Architectures shows you how to use claims with browser -based applications and... provide claims about them to interested applications Some well-known examples are NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security Assertion Markup Language (SAML) If systems that use claims have been around for so long, how can claims- based computing be new or important? The answer is a variant of the old adage, “All tables have legs, but not all legs have tables.” The claims- based. .. the identity infrastructure, not rewriting the application code This refactoring of identity logic is the basis of the claims- based identity model Eugenio Pace from the Microsoft patterns & practices group has brought together some of the foremost minds on this topic so that their collective experience can be yours He has focused on practical scenarios that will help you get started writing your own claims- aware . Benefits of a Claims- Based Architecture Windows Identity Foundation Implementation of the Claims- Based Architecture SharePoint 2010 User Identity The SharePoint 2010. Brown Scott Densmore Eugenio Pace Matias Woloski Second Edition - Claims- Based Identity and Access Control Authentication. Configuring SharePoint to Use Claims Tips for Configuring Claims in SharePoint More Information xvii Foreword Claims- based identity seeks to control