Sharepoint 2013 : Authentication and authorization infrastructure (part 2) - Claims-based authentication types

9/17/2013 7:47:57 PM

2. Claims-based authentication types

With claims-based mode, you can enable multiple authentication methods within the same zone. Thus, you can now have a unique zone—and a unique URL—to access your site, but your users will be able to choose between multiple authentication methods with which to provide their credentials.

When you configure claims-based mode with a unique authentication method, SharePoint will authenticate the end users directly with that unique method. However, if you configure multiple authentication methods, your users will be prompted to select their desired authentication method. Figure 2 depicts the authentication method selection page, configured to support both Windows Authentication and FBA.

A screen shot depicting the Sign In page, provided to end users while accessing a web application configured with multiple authentication methods. Below the welcome message is a drop-down list for selecting the authentication method. In the sample image, the available options are Windows Authentication and Forms Authentication.

Figure 2. The Sign In page, on which end users select the authentication method when multiple authentication methods are configured on the same zone.

Behind the scenes, the authentication engine of SharePoint normalizes all the users’ identities into SPUser instances, converting every identity into a set of claims. The users’ identity normalization process involves invoking a native service application of SharePoint, called the Security Token Service (STS). Figure 3 shows a functional schema of the identity normalization process managed by SharePoint 2013.

A diagram depicting how an authenticated identity is managed internally by SharePoint. Regardless of the authentication method you choose, all the identities (Windows Classic, Windows Claims, FBA, and SAML) are converted into internal SPUser objects of SharePoint. However, classic mode goes straight to SPUser, while claims-based mode goes through an intermediary SAML token.

Figure 3. A functional schema of the identity normalization process managed by SharePoint 2013.

Windows authentication

In terms of capabilities, Windows Authentication is almost the same as the old-style classic mode. Backstage, however, the user’s identity is translated into a set of claims. If you develop a custom control or Web Part for writing a user’s identity, you will see that the current user’s identity is a ClaimsIdentity. The set of claims that comprise the user’s identity by default are

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier. A claim with a value of type String that defines the user name.
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid. A claim with a value of type String that defines the security identifier (SID) of the user.
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid. A claim with a value of type String that defines the SID of the primary group of the users.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn. A claim with a value of type String that defines the user principal name (UPN) of the user.
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname. A claim with a value of type String that defines the logon name of the user.
http://schemas.microsoft.com/sharepoint/2009/08/claims/userid. A claim with a value of type String that defines the user ID of the current user. For Windows Authentication, it assumes a value of 0#.w|{Username}, where the string 0#.w| is a trailer and {Username} is the user name of the user. The w stands for Windows Authentication.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. A claim with a value of type String that defines the name of the user, assuming a syntax like that of the previously described claim (userid).
http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider. A claim with a value of type String that defines the name of the identity provider. For Windows Authentication, it assumes a value of windows. This is a SharePoint-specific claim.
http://schemas.microsoft.com/office/2012/01/nameidissuer. A claim with a value of type String describing the issuer of the nameid claim (see the nameid entry later in this list). This is a Microsoft Office–specific claim.
http://sharepoint.microsoft.com/claims/2009/08/isauthenticated. A claim with a value of type String and an inner value of True or False, used to indicate whether the current user is authenticated. This is a SharePoint-specific claim.
http://schemas.microsoft.com/sharepoint/2009/08/claims/farmid. A claim with a value of type String that defines the ID of the current SharePoint farm. This is a SharePoint-specific claim.
http://schemas.microsoft.com/office/2012/01/upn. A claim with a value of type String that describes the UPN of the current user. This is an Office-specific claim.
http://schemas.microsoft.com/office/2012/01/nameid. A claim with a value of type String that describes the unique name identifier of the current user. This is an Office-specific claim.
http://sharepoint.microsoft.com/claims/2009/08/tokenreference. A claim with a value of type String that defines a reference to the user token. This is a SharePoint-specific claim.
http://sharepoint.microsoft.com/claims/2012/02/claimprovidercontext. A claim with a value of type String that defines the context of the current user token. This is a SharePoint-specific claim usually corresponding to the URL of the context.
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid. A claim with a value of type String that defines the SID of a group to which the current user belongs. A single ClaimsIdentity could contain many claims of this type, depending on the number of groups to which the current user belongs.
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod. A claim with a value of type String that defines the configured authentication method. When using Windows Authentication, it assumes a value of http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows.
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant. A claim with a value of type DateTime that defines the date and time the token was issued.

Extracting claims from a current user’s identity

ClaimsIdentity ci = this.Page.User.Identity as ClaimsIdentity;
if (ci != null) {
    this.Controls.Add(new LiteralControl("<h2>Claims</h2>"));
    foreach (Claim c in ci.Claims) {
        this.Controls.Add(new LiteralControl(
            String.Format(
             "<div>ClaimType: {0} - ClaimValue: {1} - ClaimValueType: {2}</div>",
              c.ClaimType, c.Value, c.ValueType)));
    }
}

In this example, it suffices to cast the current user’s identity (this.Page.User.Identity) to the ClaimsIdentity type of the Microsoft.IdentityModel namespace. Assuming the cast is successful, you will be able to enumerate the Claims property and extract each individual Claim instance.

Forms-Based Authentication

When you configure FBA, you gain the capability to authenticate your users against an external repository of users. By default, this can be an LDAP or Microsoft SQL Server database built using the standard SQL Membership Provider of ASP.NET. Of course, you can also develop custom membership providers of your own, querying any kind of users’ repository. In the next section, you will learn how to configure SharePoint 2013 to support FBA with the standard SQL Membership Provider. For now, consider the default set of claims that make up the user’s identity when using FBA:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier. The same as in Windows Authentication.
http://schemas.microsoft.com/ws/2008/06/identity/claims/role. A claim with a value of type String that defines the name of a role to which the current user belongs. There could be many claims of this type in a single ClaimsIdentity, depending on the number of roles to which the current user belongs.
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname. The same as in Windows Authentication.
http://schemas.microsoft.com/sharepoint/2009/08/claims/userid. A claim with a value of type String that defines the user ID of the current user. For FBA, it assumes a value of 0#.f|{MembershipProvider}|{Username}, where the string 0#.f| is a trailer, {MembershipProvider} is the name of the configured membership provider, and {Username} is the user name of the user. The f stands for FBA.

Others

- Sharepoint 2013 : Authentication and authorization infrastructure (part 1) - Authentication infrastructure

- Windows 8 : Managing Disk Compression and File Encryption (part 2) - Encrypting Drives and Data

- Windows 8 : Managing Disk Compression and File Encryption (part 1) - Compressing Drives and Data

- Windows 8 : Managing Disk Drives and File Systems - Working with Removable Storage Devices, Working with Data Discs

- Sharepoint 2010 : Business Connectivity Services - The BCS Object Model

- Sharepoint 2010 : Business Connectivity Services - BCS with Visual Studio 2010

- Sharepoint 2010 : Business Connectivity Services - BCS and SharePoint Designer

- Windows Phone 8 : Services - Consuming OData (part 2) - Generating a Service Reference for OData, Retrieving Data, Updating Data

- Windows Phone 8 : Services - Consuming OData (part 1) - How OData Works, The URI

- Windows Home Server 2011 : Using File Server Resource Manager (part 2) - Creating a Quota, Creating a File Screen