SSO in SharePoint 2010. Hi Folks, Single Sign On (SSO) one of the most important feature to connect to external systems from SharePoint, In SharePoint 2007 You have to configure SSO service and set the required username/password to connect to external systems. In SharePoint 2010 the new name for SSO is SSS: Secure Store Service. Here is some general consideration about SSS in SharePoint 2010:1) SSS is a service in SharePoint 2010 that runs on the application server.2) SSS provides a DB that store credentials for ApplicationIDs.3) Application ID : is your token to access the external application, the token might represents one/group of users.4) It is recommended to run SSS on separate application pool and on separate application server.5) Use different SQL Server to store SSS credentials information.6) You create SS Target Application Types: a) Group: map group of people to access this external app. b) Individual: map individuals to access this external app.
Regards,Mostafa arafa. Understanding SharePoint 2010 Claims Authentication - SharePoint Brew. This blog is intended to fill some gaps and provide a foundation to understand components in the claims model and how these components work together. Claims will provide a huge benefit which I will outline some of those benefits below. I suspect this will turn into a multi blog series so stay tuned for further blogs on this subject. The goal is providing a series of blogs starting from broad and getting more narrow in scope. As the scope is narrowed, a deeper technical progression will take place. SharePoint 2010 has a new approach to authentication\authorization. Special thanks goes to Venky for the knowledge transfer :) Claims An identity provider makes claims about a user. Identity Provider "provider of the attributes" contains username attribute containing DanCan.
STS is built on Geneva framework which is now called Windows Identity Foundation. Above, STS is composed of a web service and runs on every SharePoint server. Authentication Classic Claims · NT Token · SAML Token 1. 5. 1. 2. 1. Claims-Based Security in SharePoint 2010 Offers New Possibilities. The introduction of claims-based security support in SharePoint 2010 opens up several new doors with respect to managing the user accounts required to establish user identity. User identity is crucial in SharePoint Foundation and SharePoint Server 2010 because it provides the underlying infrastructure for essential services such as security, access control, auditing, personalization and user profiles. In SharePoint Portal Server 2003, user identity could only be established using a Windows identity, which forced companies to maintain an Active Directory (AD) account for each individual user.
While this constraint was fine for intranet environments where all the users are employees of the same company, it was a painful fit for extranet environments and publicly-facing web sites. SharePoint 2007 broke the dependency on AD for establishing user identity by integrating ASP.NET support for forms-based authentication (FBA). Configure Trusts in SharePoint 2010 Farm. Claims-Based Authorization with WIF - ASP.Net. OpenID, OAuth and InfoCard running on .NET. Windows Identity Foundation SDK. WSIdentityConstants Class (Microsoft.IdentityModel.Protocols.WSIdentity) Steve on Security. Blogs. Geneva-based WS-Federation metadata document generation wizard (or: Oops, I did it again!) - Christian Weyer's Blog. Starting with Beta 2 of the Geneva Framework there is nice support of metadata-driven behavior and code generation.
We (Mr. Security himself and me) came across some situations where one wants to generate manually the WS-Federation metadata document and then use this XML e.g. with the fedutil.exe tool or the integrated Geneva tooling inside Visual Studio.I couldn't resist and build a wizard which helps generating the metadata document... sorry :) Feels like Groundhog Day. Here we go. Note: I am using the DevExpress wizard control and dependent assemblies.
Therefore the size of the ZIP is rather big (too big, IMHO) - sorry. For whom it may help: Download. Build a Security Token Service (STS) with the Geneva Framework. Geneva Framework Building A Custom Security Token Service Michele Leroux Bustamante This article is based on a prerelease version of the "Geneva" Framework. All information is subject to change. The Microsoft claims-based access (CBA) platform strategy—code-named "Geneva"—includes the "Geneva" Framework, "Geneva" Server, and Windows CardSpace "Geneva. " The Geneva Framework provides developers with tools to build claims-based applications and services that involve tokens issued by a Security Token Service (STS), as well as tools for building a custom STS and for building Windows CardSpace-enabled applications.
In my last article about the Geneva Framework I discussed a better way to build claims-based Windows Communication Foundation (WCF) services that rely on tokens issued by an STS. A Security Token Services Primer Any of these scenarios can be based on passive federation (browser-based) or active federation (Windows client-based). Figure 1 Token Issuance for an Active Federation Scenario. Claims Based Identity & Access Control Guide - Download: Samples adjusted for Visual Studio 2010.
%windir%\microsoft.net\framework\v4.0.30319\aspnet_regiis Required configuration changes for IIS, DevFabric and Windows Azure Both solutions 1-SingleSignOn and 5-WindowsAzure involves the a-expense.ClaimsAware project.This solution is configured by default to run hosted in IIS, but the solution 5-WindowsAzure will run in a different environment (DevFabric and Windows Azure).Please find the notes about the required required in the microsoft.identityModel section of the web.config of the a-expense.ClaimsAware project.
Cookies encrypted using RSA As mentioned in the guide, the federation cookies are now encrypted using an RSA algorythm. This change enables the involved sites to support Web farm scenarios. In global.asax.cs protected void Application_Start(){ FederatedAuthentication.ServiceConfigurationCreated += this.OnServiceConfigurationCreated; e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler);} In web.config: <configuration> ... Request validation in ASP.NET 4. Implementation. Claims-based identity or Claims Mode Authentication in Microsoft SharePoint Server 2010 has been all the buzz. Developers are looking to do more with augmentation of claims and IT Professionals are looking at new opportunities to delegate identities - whether across machine or trust boundaries, or to provide seamless and secure solutions enabling robust interoperability scenarios with external systems.
Understanding claims-based identity is the first step in realizing its potential and to understand it, we need to understand the basic concepts and nomenclature. Basic Definitions Identities Identities are basically pieces of information about a person or an object, for example a user. Claims A “claim” if effectively an assertion made about an object by a trusted system. Issuer The issuer is the STS or Security Token Service, the STS gathers its information from an attribute store that contains the information about the user. Step-by-step Walkthrough 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Claims authentication against Windows Live ID for SharePoint 2010 | Fpweb.net Blog - For What I.T.'s Worth. The SharePoint engineering team at Fpweb.net is always striving to discover new frontiers.
To declare that the impossible is… well, possible. Recently, we put our heads together to find a way to use both Live ID and Open ID as an authentication method for SharePoint Server 2010. With the addition of the new claims based authentication framework in SharePoint 2010, SharePoint is now more loosely coupled to the authentication layer than ever. You’ve probably seen presentations or webinars where it was mentioned that you can use claims authentication against authentication providers such as Live ID and OpenID. Recently, Chris Schwab and I were working with an Fpweb.net customer that needed to use Live ID as an external authentication source for their internet-facing hosted SharePoint 2010 Server farm. Configure the Windows Live ID security token service Login to the Microsoft Services Manager for Windows Live with your Live account. How to fill out the fields shown in the screenshot above: Claims-Based Authorization with WIF.
Over the past few years, federated security models and claims-based access control have become increasingly popular. In a federated security model, authentication can be performed by a Security Token Service (STS), and the STS can issue security tokens carrying claims that assert the identity of the authenticated user and the user’s access rights. Federation allows users to authenticate in their own domain while being granted access to applications and services that belong to another domain—provided the domains have an established trust relationship. This approach removes the need to provision and manage duplicate accounts for a single user, and enables single sign-on (SSO) scenarios.
Claims-based access is central to a federated security model whereby applications and services authorize access to features and functionality based on claims from issuers (the STS) in trusted domains. Platform tools in this area have also come a long way. Why Federated and Claims-Based Security? Security Briefs: Exploring Claims-Based Identity. Security Briefs Exploring Claims-Based Identity Keith Brown Code download available at:SecurityBriefs2007_09.exe(206 KB) Most enterprise applications need some basic user security features. At a minimum, they need to authenticate their users, and many also need to authorize access to certain features so that only privileged users can get to them.
Some apps must go further and audit what the user does. On Windows®, these features are built into the operating system and are usually quite easy to integrate into an application. But what happens when you want to extend reach to users who don't happen to have Windows accounts? Finding Common Ground On Windows, the most common type of credential used to access an enterprise application is simply the user's domain account. To make this discussion more concrete, and to help introduce what might be new terminology for some readers, let's imagine that Alice is a user who wants to access a purchasing service using her Windows domain account. TechNet Radio: Claims-based Identity in SharePoint 2010.
Consuming Web Parts. This article is the fourth and last in a series of MSDN articles on creating a claims-aware web service and consuming it from SharePoint Business Connectivity Services (BCS). In this article, you are going to use SharePoint Designer 2010 to consume the claims-enabled Web service that you created in the first three articles. Before following the procedures in this article, read and follow the procedures in the first three articles. This blog is inactive.New blog: EricWhite.com/blogBlog TOC These articles were written by Saji Varkey, and Bin Zhang, and me. They will be published on MSDN sometime in the near future. Procedure: Create an External Content Type (ECT) from the Web service If you are already familiar with setting up external content types, then you will be familiar with nearly all of the steps in this procedure. 1. 2. 3. 4. 5. When you press the Tab key, SharePoint Designer 2010 sets the Display Name to be the same as the Name. 6. 7. 8.
Select WCF Service from the list. 9. 10.