Claims-Based Authentication (CBA)
Claims-based identity/authentication/authorization is about separating the maintenance of user authorizations and user sign-in out of a (web) application, by turning authentication/authorization into a separate (web) service.
So for example, when you browse to a claims-enabled web application for the first time, it will redirect you browser to a 'logon service' which it trusts if annonymous access is disabled. It will authenticate user to that service (using Windows authentication, a smart card, or whatever), and in response it sends back a 'token', which the browser sends back to the web application. Now the web application checks that the token is digitally signed by its trusted logon service, and then looks at the 'claims' in the token. Based purely on those claims, the application decides what functionality the user is offered.
The claims will almost always include the user's identity, often there are also authorization-related claims
SharePoint 2013 and SharePoint 2010 display claims are coded in following format:
"IdentityClaim":0"ClaimType""ClaimValueType""AuthMode"|"OriginalIssuer (optional)"|"ClaimValue"
Where:
- "IdentityClaim" indicates the type of claim and is the following:
- “i” for an identity claim
- “c” for any other claim.
- "ClaimType" indicates the format for the claim value and is the following:
- “#” for a user logon name
- “.” for an anonymous user
- “5” for an email address
- “!” for an identity provider
- “+” for a Group security identifier (SID)
- “-“ for a role
- “%” for a farm ID
- “?” for a name identifier
- "\" for a private personal identifier (PPID)
- "ClaimValueType" indicates the type of formatting for the claim value and is the following:
- “.” for a string
- “+” for an RFC 822-formatted name
- "AuthMode" indicates the type of authentication used to obtain the identity claim and is the following:
- “w” for Windows claims (no original issuer)
- “s” for the local SharePoint security token service (STS) (no original issuer)
- “t” for a trusted issuer
- “m” for a membership issuer
- “r” for a role provider issuer
- “f” for forms-based authentication
- “c” for a claim provider
- "OriginalIssuer" indicates the original issuer of the claim.
- "ClaimValueType" indicates the value of the claim in the "ClaimType" format.
Here are some places in SharePoint where you will see claims encoding (please add to this list):
- In the display of user sign-in information on a SharePoint 2010 Products web site
- In the "Authentication Authorization" log entries in the Unified Logging Service (ULS) log files for SharePoint 2013
Here are some examples:
- Windows User (i:0#.w|
\ ) - “i” for an identity claim
- “#” for the user logon name format for the claim value
- “.” for a string
- “w” for Windows claims
- “
\ ” for the identity claim value (the Windows account name)
- Windows Authenticated Users group(c:0!.s|windows)
- “c” for a claim other than identity
- “!” for an identity provider
- “.” for a string
- “s” for the local SharePoint STS
- “windows” for the Windows Authenticated Users group
- SAML authentication (Trusted User)(i:05.t|adfs|
) - “i” for an identity claim
- “5” for the email address format for the claim value
- “.” for a string
- “t” for a trusted issuer
- “adfs” identifies the original issuer of the identity claim
- “
” for the identity claim value
- Forms-based authentication(i:0#.f|mymembershipprovider|
) - “i” for an identity claim
- “#”for the user logon name format for the claim value
- “.” for string
- “f” for forms-based authentication
- “mymembershipprovider” identifies the original issuer of the identity claim
- “
” for the user logon name
.png)
0 comments:
Post a Comment