Introduction to Claims-based Authentication in SharePoint 2010 in plain English

Submitted by Tristan on Wed, 10/21/2009 - 11:50

Introduction

There is a lot of hype about claims based authentication, and unfortunately a lot of confusing jargon.   My goal in this post is to explain what claims based authentication means in plain English. This includes what it enables, and what it doesn’t enable. I am going to try my hardest not to use any technical terminology beyond the bare minimum.

What is authentication?

Authentication is the process of determining if someone is who they claim to be. It answers the question “Who is this guy really?”

In the Microsoft world, authentication is usually performed by Active Directory.  I claim to be Tristan, and i prove this to Active Directory by providing my password. Other systems don’t trust me, they trust Active Directory. Active Directory gives systems a bit of data that says “yeah, I personally vouch for this guy. It really is Tristan.”

Now, if everyone used the same Active Directory installation in the same environment, then that’s all we would need. Claims based authentication is not needed in a simple environment like that.

But in the real world, things are different. We face three big challenges:

  • Privacy regulations and other pieces of legislation are impacting what kind of information we are allowed to capture and store about users, so in some cases we can’t just demand that people give us all of their personal details.
  • Businesses want to interoperate with other businesses, and government organisations want to provide more integrated services to citizens. However, different systems use different authentication systems (not everyone uses Active Directory, and even when they do, they have different instances.), and businesses want to integrate in a secure, legally compliant manner.

 

What does claims based authentication do?

Claims based authentication is designed to address the two challenges mentioned above.

Claims based authentication addresses privacy and other compliance concerns by requesting less specific, less personal information about people, and by trusting other parties or systems to do the “proof of identity” check.

Imagine you have a “sell alcohol to public” ecommerce website, and you are in a country where there are only two laws, called Fantasyland. One of these laws says “alcohol may not be sold to people under 18”, and the other law says “people have a right to privacy and web sites aren’t allowed to track individual people”. (If the law was this simple in real life we wouldn’t need lawyers!)

We’ve got two competing concerns here. Firstly we need to ensure that a user is of legal age, while at the same time we’re not allowed to know who that user is! (Again, I blame the lawyers of Fantasyland).

It turns out that in Fantasyland, the Government has set up a web service that users log on to, which authenticates them based on their citizenId and citizenPassword. It then is able to tell other systems that a user is above 18 or not, without revealing who that user is.

So we implement our “sell alcohol to public” website by building a claims-aware system. Instead of building the standard “username and password” login mechanisms, we simply ask the Government’s web service to tell us if the user browsing our site is over 18. The claim that our system uses is a “userIsOver18” claim, and the claim value is either yes or no. We simply don’t build any authentication system at all beyond a simple “if (userIsOver18) then..“ statement.

By doing this, we address privacy concerns – we don’t know or keep personally identifiable information – while at the same time ensuring that we don’t sell alcohol to someone under 18.

Claims based authentication addresses integration of different systems by allowing communications using open standards, and by providing a platform for developing more specialised ‘identity connectors’ between systems.

What won’t it do for me?

Claims based authentication won’t address the lifecycle management of identity information. You’ll need a broader solution to that, but your solution may integrate with claims based authentication systems. How do you deal with new staff? How do you handle staff who are on long service leave? How do you handle fake accounts? Microsoft would like you to use their Identity Lifecycle Management application for this kind of thing.

I’m going to be a little controversial here, and point out what I believe the biggest limitation of claims based authentication. I believe that what enterprise customers really need is claims based authorization.  Claims based authentication may let our system know that a user is a contractor from a partner company, but it alone won’t let me specify a rule that says “all of my company’s financial spreadsheets must not be seen by contractors”. Not only does claims based authentication not provide this capability, but neither do the role-based access controls provided by SharePoint. In fact SharePoint’s role-based access control model itself is too limited to address this. It still needs substantial improvements.

The way industry is addressing this is by producing “entitlement management” systems, for specifying access control rules. Microsoft’s current solution, in my opinion, is strongly deficient in this regard. Yes, you can specify per item permissions for each individual financial spreadsheet. But this imposes such a high maintenance overhead that it is unworkable in practice. In my opinion companies like Oracle are well ahead of Microsoft in this field, but by no means does anyone have a complete turn-key solution.

How is it implemented?

The claims-based authentication implementation has a number of components. In simplified terms here’s how the pieces of technology fit together.

  • From a developer’s point of view, the platform that Microsoft is providing is called the Windows Identity Foundation. This used to be called the Geneva framework. It provides a programming library suitable for building claims-aware applications. This library is also used by SharePoint 2010.
  • Active Directory Federation Services implements services to create, accept, and transform tokens that contain claims.
  • Cardspace provides a user interface for users to select which “identity card” they wish to use for a particular system

Next article

In the next article I will go into more detail about the implementation of Claims-based authentication in SharePoint 2010. Let me know what you thought of this article, and if you'd like to see focus on any particular aspect.

Comments

Submitted by Nomo (not verified) on Thu, 06/24/2010 - 08:45.

Nice article, it is easy to

Nice article, it is easy to undestand.

Submitted by Anonymous (not verified) on Wed, 06/23/2010 - 17:31.

very nice article. please

very nice article. please give me a walkthrough of claim based authentication

Submitted by Anon (not verified) on Wed, 04/21/2010 - 02:31.

Good article, but there's one

Good article, but there's one thing that doesn't really make sense.  In your scenario, you propose that the date of birth could be linked to the username to verify a user is over 18.  Later in the article, you say that this system cannot be used for authorization.  Aren't these two things somewhat contradictory?  If you can link the user's ID to a date of birth, you could also have the system set up so it can verify whether or not the user is, say, a contractor (to use your example) - just add another field for data regarding the user's job.The only thing that I'm kind of unsure about here is this:  Isn't this basically just like SSO with AD?  A business has a system set up where they log in once, and all their intranet stuff just checks their info against AD, and can verify other information like job title and whatnot with LDAP.  As far as I can tell, the only difference from your example is that a web service is being used to communicate with an external server.

Submitted by Vishal Varshney (not verified) on Tue, 04/13/2010 - 13:48.

You have given a scenario to

You have given a scenario to validate user's claim of age more than 18 years without disclosing the identity that the user is. I couldn't understand this because if the user will log on to the site using an ID, server will know who the user is then you can check whether the user is over 18 or not. The scenario which I mentioned is authorization which we normally perform after the user is authenticated then where does claims based authentication fits in? Please can you explain this. Thanks!

Submitted by Tristan on Fri, 04/16/2010 - 23:32.

Vishal, thank you for the

Vishal, thank you for the feedback!

In this scenario, there are two servers owned by two different organisations. The government-owned server does indeed need to know who the user is to determine that he or she is above 18. The government server could have a database which maps user ids to date birth, for example.

The other server, running inside a private company, on the other hand, does not need to know who the user is. In a claims based authentication scenario, the private company's server is configured to trust the claim made by the government server. This trust says "I believe the government server when it asserts that the user is over 18". The government server could be configured NOT to provide any other identity information to the private company server; the only claim being passed is the age-related one.

The private company's server will establish a session for the specific user, but will not know anything about the user except for this one claim. As a result, privacy is enforced and the business logic necessary on the private company's server is simplified.

Submitted by mannisto (not verified) on Mon, 05/24/2010 - 18:36.

Good generalised text.The

Good generalised text.The only thing is that if one is running eCommerce webshop and providing products from it it may be that business will need some more information about the purchase and user than just the Age.  Inevidantly business will need to collect information conserning Privacy issues still about the user.And you are wrong in conclusion that system can rely on information that user is who he claims to be if no other stronger mecanisms are used.  This is classic talks. Clam based method still needs authetification and ´claming´ can be done after it when talking about real world.  Of course if you connect identity federation into this achitecture your example is complete.I understand that you provided an example without full solutions.Claim based method is nicely explained in it.J 

Submitted by Anonymous (not verified) on Mon, 03/29/2010 - 21:10.

Thanks for the great

Thanks for the great simplicity!

Submitted by Riaz (not verified) on Sat, 03/27/2010 - 20:51.

Wonderful article, you

Wonderful article, you explained it in simple english. Thanks for the article, I will be tracking your articles from here on.

Submitted by Anonymous (not verified) on Fri, 12/11/2009 - 04:51.

Best series I have seen thus

Best series I have seen thus far is the 30 or so at sharepointsecurity.com:

http://www.sharepointsecurity.com/category/sharepoint/claims-based-authe...

Submitted by Anonymous (not verified) on Tue, 04/20/2010 - 05:59.

Great article ! You can also

Great article ! You can also find interesting articles on claims here : http://www.pascalbonheur.com/2010/03/claims-based-authorization-in-sharepoint-2010-real-life-example-part-1/

Most Popular

Using Office Outlook 2010 with Lotus Notes backend connector (DAMO) on Windows 7.
25 weeks 1 day ago
Introduction to Claims-based Authentication in SharePoint 2010 in plain English
40 weeks 17 hours ago
Firewall rules and protocol usage
1 year 7 weeks ago
Access Control with SharePoint Groups
1 year 9 weeks ago
Using the People Picker Editor picker control
1 year 4 weeks ago
Section 508 Compliance with SharePoint
1 year 1 week ago
Authentication options
1 year 2 weeks ago
SharePoint Templates
48 weeks 3 days ago