I was at the Microsoft SharePoint 2011 Conference (SPC2011) last week and there were several hot topics presented – there were several sessions on claims and using claims in SharePoint 2010 for interesting security-related scenarios like authentication. This topic is particularly important in the identity management space right now.
Thanks to everyone that came to my session at the conference called Using Claims for Authorization in SharePoint 2010. It appears that the PowerPoint I presented may still not be available on the Microsoft MySPC site. I have asked Microsoft to look into this and post the updated deck I provided them, but in the mean time I’ve made the deck available here for download.
Using Claims for Authorization in SharePoint 2010 (In PDF format)
(presented by Antonio Maio, TITUS on Wed, Oct 5, 2011 at Microsoft SPC 2011)
I’m planning to post several articles over the next few weeks on this topic . I’d like to start this series off by talking about the basics and give readers a foundation for the concept of claims, and how they can be used in various business and data governance scenarios.
What is A Claim?
Sometimes claims are referred to as metadata about a user – I’ve been guilty of this one myself. To over-simplify the topic, we sometimes hear them spoken about as Active Directory attributes or LDAP attributes. People often talk about the concept of claims in a very simple manner, saying that claims represent user attributes or attributes about a user. To understand the concept, you have to view claims as an assertion that I make about myself. In other words, a claim is an attribute that I claim to have or be. For example, I can tell you that I am Canadian. I can tell you I’m a Canadian of Italian heritage. You may or may not believe me. This is something that I’m claiming about my identity. If you were to look at my passport, perhaps you’d be more inclined to believe this claim, because my passport is an official document that many agencies trust. If you were to ask someone that you trust about me, and that person happens to know me well, then you would likely be inclined to trust what they say about me.
In the digital world, a claim must be trusted by the dependant application. For example, SharePoint must trust a claims provider like ADFS2. An application trusts a claim about a user’s identity if it is issued to the calling application by a trusted identity provider. So when creating or deploying a claims aware application its important to establish a trust relationship between that claims-aware application (the relying party) and the claims issuer (sometimes called a claims identity provider).
Claims offer us much more than just retrieving attributes from a directory. As an example, consider the scenario where a corporation’s external partner is not permitted to connect their system to the organization’s internal directory to retrieve attributes. Even if they are permitted to connect, the partner has no way of trusting those attributes because they have no way of validating them. As well, for the organization, there really is no effective way of limiting what attributes each calling application is permitted to access.
The real power of claims becomes evident when you consider the following points:
- claims are issued to applications by trusted identity providers
- these trusted identity providers can be on-premise, in the cloud, inside or outside the enterprise
- trusted identity providers can be configured to only return certain claims to specific trusted calling applications
- claims tokens are digitally signed and communicated back to the calling application using standards based protocols (like SAML)
- claims are packaged up into tokens using standards based formats (like WS-Federation or SAML)
Claims allow us to take identities across network boundaries in a secure and trusted way, enabling us to solve some new and exciting challenges for our customers. These challenges include federation, complex authentication requirements, as well as authorization based on not only who I am but what my clearance level is, if I’m connecting over a secure connection or an internet cafe, the time of day, if I need 2 factor authentication for specific systems or sites, and so on.
As I mentioned there will be more posts in the near future on using claims in SharePoint 2010, and some of the possible limitations.