Introduction to Claims Based Security

Duration: 8 minutes

Overview: Claims-based identity provides a common way for applications to acquire identity information from users inside their organization, in other organizations, and on the Internet. Identity information is contained in a security token, often simply called a token. A token contains one or more claims about the user. Think of it as metadata about the user that stays with them throughout their session.

This demo introduces in the fundamental concepts for claims based authentication. The move is to further decouple SharePoint from the authentication provider, from the component that provides the identity so that we can easily configure SharePoint against any number of authentication provider.

One big benefit when configuring claims is that it’s going to be easier as they look at the people picker.

Note that with beta 2 you might never recognize that claims are available for you to work with because you might have web applications that are created in classic mode.

Open the SharePoint Central Administration.

Navigate to Application Management.

Select the Manage web applications hyperlink.

Click the New button to create a new web application.

The first section is the Authentication section. There you can choose if you want to create the web application with Classic Mode Authentication or with Claims Based Authentication.

Select the Claims Based Authentication option.

auth1

Scroll down to the Identity Providers section. Notice that you can enable Windows Authentication, or enable ASP.NET Membership and Role Provider. If you would have other trusted identity providers, you could add them to this list as well.

 

auth2

Cancel the dialog.

You can create your own trusted identity providers. An example is to add the ability to identify against Live ID.

Go back to the main page of the SharePoint Central Administration.

Click on the Security hyperlink.

Notice that in the General Security section there is a Manage trust hyperlink.

Click on the hyperlink to see a list of trusted identity providers. The Trusted Service Consumer is the one that is there by default.

Click the Farm Trusts tab on the ribbon.

Click the New button to create a new trust.

In the General Settings enter the name Live ID.

You have to specify a Root Certificate for trust to indicate that you trust the new authentication system.

You also have to specify the Farm Trust.

 

auth3

Cancel the process.

Go back to the SharePoint Central Administration and again choose to create a new web application.

Again select the Claims Based Authentication option.

If you would have configured the Live ID as a trusted Identity Provider it would appear in the section of Identity Providers together with Windows Authentication and ASP.NET Membership.

Scroll down to the Sign In Page URL section.

You could design your own sign-in page that would be displayed when a user navigates to your SharePoint site.

Let’s bring up two different web applications. The first web application is the intranet application which uses the class Windows authentication.

Navigate to the Site Permissions page of the intranet site to add some users.

Click the Grant Permissions button.

Choose a user from the People Picker. This is a sample of the People Picker in classic mode.

Cancel the action again.

The second web application is the internet application and is configured to use claims.

If Live ID would have been configured and there would be a Brian in there, this would be visible in the left pane.

Furthermore, if you would have created a custom claims provider and if the provider would have claims such as users who have been in the company for more than 5 years, they would be provided in the left pane and you would be able to drill down into the hierarchy

Navigate to the Site Settings page and select the People and Groups hyperlink.

Select the New User button.

In the Grant Permissions dialog you can enter the name of a new user. The claim based People Picker is displayed.

The left pane is populated with all claims providers.

When you type in a brian and then search for it, you will see that the Active Directory contains 2 results.