Vad Claims är och hur det används i SharePoint

Nu startar vi en serie bloggartiklar med vår gästbloggare Antonio Maio från Titus. Antonio Maio är Senior Product Manager och har en blogg där han skriver om metadatasäkerhet och klassificering i SharePoint.

I denna serie bloggartiklar kommer Antonio gå på djupet när det gäller att använda "Claims" i SharePoint. I den första artikeln kommer han att berätta om grunderna och ge en förståelse för begreppet "claims" och hur det kan användas i olika organisationer.

What are Claims – Using Claims in SharePoint

What is A Claim?

Sometimes claims are referred to as metadata about a user – I’ve been guilty of this one myself. To over-simplify the topic, we sometimes hear them spoken about as Active Directory attributes or LDAP attributes. People often talk about the concept of claims in a very simple manner, saying that claims represent user attributes or attributes about a user. To understand the concept, you have to view claims as an assertion that I make about myself. In other words, a claim is an attribute that I claim to have or be. For example, I can tell you that I am Canadian. I can tell you I’m a Canadian of Italian heritage. You may or may not believe me. This is something that I’m claiming about my identity. If you were to look at my passport, perhaps you’d be more inclined to believe this claim, because my passport is an official document that many agencies trust. If you were to ask someone that you trust about me, and that person happens to know me well, then you would likely be inclined to trust what they say about me.

In the digital world, a claim must be trusted by the dependant application. For example, SharePoint must trust a claims provider like ADFS2. An application trusts a claim about a user’s identity if it is issued to the calling application by a trusted identity provider. So when creating or deploying a claims aware application its important to establish a trust relationship between that claims-aware application (the relying party) and the claims issuer (sometimes called a claims identity provider).

Claims offer us much more than just retrieving attributes from a directory. As an example, consider the scenario where a corporation’s external partner is not permitted to connect their system to the organization’s internal directory to retrieve attributes. Even if they are permitted to connect, the partner has no way of trusting those attributes because they have no way of validating them. As well, for the organization, there really is no effective way of limiting what attributes each calling application is permitted to access.

The real power of claims becomes evident when you consider the following points:

• claims are issued to applications by trusted identity providers
• these trusted identity providers can be on-premise, in the cloud, inside or outside the enterprise
• trusted identity providers can be configured to only return certain claims to specific trusted calling applications
• claims tokens are digitally signed and communicated back to the calling application using standards based protocols (like SAML)
• claims are packaged up into tokens using standards based formats (like WS-Federation or SAML)

Claims allow us to take identities across network boundaries in a secure and trusted way, enabling us to solve some new and exciting challenges for our customers. These challenges include federation, complex authentication requirements, as well as authorization based on not only who I am but what my clearance level is, if I’m connecting over a secure connection or an internet cafe, the time of day, if I need 2 factor authentication for specific systems or sites, and so on.

As I mentioned there will be more posts in the near future on using claims in SharePoint 2010, and some of the possible limitations.

Del 2: Konfigurera Realm - Använda SharePoint 2010 med ADFSv2 för att hämta Claims

Tyckte du det var intressant? Dela med dig av artikeln och kommentera gärna nedan.
Nästa artikel i serien kommer att publiceras om några dagar.
Rekommenderade whitepaper (kostnadsfritt):
Enhancing Microsoft SharePoint Security 
SharePoint Security: Harness the power of claims to protect information

För att hålla dig uppdaterad på vad vi skriver om rekommenderar vi att du följer oss på Twitter, Facebook eller via RSS.

Orginalartikeln kan du läsa på Titus SharePoint Blog.