Tuesday, March 26, 2013

SharePoint 2013- Security model, Authentication and Autherization

SharePoint 2013 having both claims and classic mode authentication. Claims Authentication is the default authentication. Classic mode authentication got deprecated and it is managed only through Power shell.
Migrate User method from SharePoint 2010 removed. To migrate accounts We have windows power shell commands.
In SharePoint 2013, we have more logging provided for Trouble shooting.

For Apps in SharePoint  created new Identity and associated to security principle, called as "App Principle". Like regular SharePoint users and group, App principle has certain rights and permissions.

Server to Server security Token service(STS), provides access tokens for Server to server communication. The server to Server STS allows temporary access to the other access services like apps for share point.

Authentication and Authorization:
SharePoint 2013, supports access for the users at site, list, list item, folder level. Security management is based on the roles at all levels providing consistent security management on all share point. Like SharePoint 2010, @013 also supports role based User interface and Object model for assigning Permissions. So that it is easy to maintain List level, Item level, folder level security implements same model as website level.

Authorization, means share point identifies the current user and authenticated but the user can performs which action at specific object like list, library, site, web or folder. SharePoint 2013, does not implement any authentication or identity management. It relies on external systems whether Windows or non- windows authentication.

SharePoint 2013 supports following authentication:

Windows authentication: All IIS and windows authentication options like Basic authentication, Digest authentication, Certificate, NTLM and Kerberos are supported. Windows authentication allows IIS to perform authentication for SharePoint 2013.

Forms authentication: Non-Windows authentication system, uses ASP.NET forms based authentication system. This mode enable to work with variety of identity management systems including externally defined groups or roles such as LDAP and Light weight database identity management systems. Forms authentication allows ASP.NET to perform the authentication in share point  In SharePoint 2013, ASP.NET forms are supported by only claims authentication. Form provider must be registered with in a web application configured for form.

Claims-based identity and authentication:
Claims based identity is an identity model in share point  includes features such as authentication across users of windows based systems and non windows based, multiple authentication types.

An user signs into share point 2013, the user token is validated and used to sign-in share point  Here is user token is security token provided by claims provider. Following are supported sign-in access modes,

  • Windows Claims mode sign-in
  • SAML passive sign-in mode
  • ASP.NET membership and role sign-in
  • Windows classic mode sign-in
When you build claims applications, User presents identity of application in a set of claims. One claim could be username, another might be email id. 

Under this model, Single sign-on is much easier to achieve and application is no longer responsible for following things,
Authenticating users.
Storing USEr accounts and passwords
Integrating with other platforms or other systems

Forms Based Authentication:
Forms based authentication provides custom identity management in SharePoint 2013 by implementing a membership provider. The uses for identifying and authenticating users and role managers. In SharePoint 2013 membership provider must implement System.Web.Security.Membership.ValidateUser method. The membership provider is responsible for validating the credential information by using System.Web.Security.Membership.ValidateUser method. . But actual token is created by the security token service(STS).  STS creates user token from the user name is validated by the membership provider and from the set of group memberships associated with the user name that are provided by the membership provider. In ASP.NET membership, sign-in happens by redirecting the client to webpage where the ASP.NET log-in credentials are hosted. After creation of identity share point 2013 converts into  Microsoft.IdentityModel.Claims.ClaimsIdentity object as claims based representation for the user.

Share this