Reflecting on the Microsoft SharePoint 2011 Conference (SPC2011) of last week there were several hot topics presented – one was the concept of claims and using claims in SharePoint 2010 for interesting security-related scenarios like authentication. This topic is particularly important in the identity management space right now.
I’d like to thank everyone that came to my session on the Wednesday afternoon titled Using Claims for Authorization in SharePoint 2010. It appears that the deck I presented may still not be available on the Microsoft MySPC site. I have asked Microsoft to look into this and post the updated deck I provided them, but in the mean time I’ll make the deck available here for download.
Using Claims for Authorization in SharePoint 2010
(presented by Antonio Maio, TITUS on Wed, Oct 5, 2011 at Microsoft SPC 2011)
I’m going to post several articles over the next few days and weeks on this topic . I’d like to start this series off by talking about the basics and give readers a foundation for the concept of claims, and how they can be used in various business and data governance scenarios.
What are Claims?
People often talk about the concept of claims in a very simple manner, saying that claims represent user attributes or attributes about a user. Sometimes claims are referred to as metadata about a user – I’ve been guilty of this one myself. To over-simplify the topic, we sometimes hear them spoken about as Active Directory attributes or LDAP attributes.
Really, to understand the concept, you have to view claims as an assertion that I make about myself. In other words, a claim is an attribute that I claim to have or be. For example, I can tell you that I am Canadian. I can tell you I’m a Canadian of Italian heritage. You may or may not believe me. This is something that I’m claiming about my identity. If you were to look at my passport, perhaps you’d be more inclined to believe this claim, because my passport is an official document that many agencies trust. If you were to ask someone that you trust about me, and that person happens to know me well, then you would likely be inclined to trust what they say about me.
In the digital world, an application trusts a claim about a user’s identity if it is issued to the calling application by a trusted identity provider. That’s why, when creating or deploying a claims aware application its important to establish a trust relationship between that claims-aware application (the relying party) and the claims issuer (sometimes called a claims identity provider).
Claims offer us much more than just retrieving attributes from a directory. As an example to consider, typically an external partner to an organization is not permitted to connect their system to the organization’s internal directory to retrieve attributes. Even if they are permitted to connect, the partner has no way of trusting those attributes because they have no way of validating them. As well, for the organization, there really is no effective way of limiting what attributes each calling application is permitted to access.
The real power of claims becomes evident when you consider the following points:
- claims are issued to applications by trusted identity providers
- these trusted identity providers can be on-premise, in the cloud, inside or outside the enterprise
- trusted identity providers can be configured to only return certain claims to specific trusted calling applications
- claims are packaged up into tokens using standards based formats (like WS-Federation or SAML)
- claims tokens are digitally signed and communicated back to the calling application using standards based protocols (like SAML)
Claims allow us to take identities across network boundaries in a secure and trusted way, enabling us to solve some new and exciting challenges for our customers. These challenges include federation, complex authentication requirements, as well as authorization based on not only who I am but what my clearance level is, if I’m connecting over a secure connection or an internet cafe, the time of day, if I need 2 factor authentication for specific systems or sites, and so on.
More to come on configuring and using claims in SharePoint 2010, and some of the limitations you may see.
-Antonio
Comments