Follow me on Twitter @AntonioMaio2

Thursday, April 19, 2012

Welcome - Launching

Hello and welcome to my new blog at  This is my first post on this blog and I thought I would share a little bit about myself and talk about some of my technology interests as they relate to SharePoint.  As well, I'll point to some of my recent blog postings at TITUS where I work.  Going forward I'll contribute both to this blog, and to the TITUS SharePoint blog.

I am a first time Microsoft MVP for SharePoint Server.  I just recently received this award which was a big surprise and a great honour!  I'm a Senior Product Manager at TITUS responsible for the TITUS Security Suite for SharePoint and for the common information protection platform across all the TITUS solutions.

My technology interests include information security, assertions/claims and the trusted identity space, cryptography, federated identity, SAML, OAUTH and the like.  I'm also interested in information protection policy, a number of technologies available around that, and how they might be used to provide better security within SharePoint and the Windows desktop.  My personal interests include oil painting, my family, and some outdoor projects around my home.

Over the last 2 years, I have been blogging about information security in SharePoint 2010, the use of claims for authentication and authorization, permissions management in SharePoint, using Active Directory Federation Services version 2.0, and federated identity topics.  I've given several conference sessions at SharePoint conferences in North America and Europe, including the Microsoft SharePoint Conference in October 2011 in Anaheim, CA.  Here are just a few of my favorites from my previous blog postings:

What are Claims – Using Claims in SharePoint

Sometimes claims are referred to as metadata about a user – I’ve been guilty of this one myself.  To over-simplify the topic, we sometimes hear them spoken about as Active Directory attributes or LDAP attributes. People often talk about the concept of claims in a very simple manner, saying that claims represent user attributes or attributes about a user.  To understand the concept, you have to view claims as an assertion that I make about myself.  In other words, a claim is an attribute that I claim to have or be.  For example, I can tell you that I am Canadian.  I can tell you I’m a Canadian of Italian heritage.  You may or may not believe me.  This is something that I’m claiming about my identity.  If you were to look at my passport, perhaps you’d be more inclined to believe this claim, because my passport is an official document that many agencies trust.  If you were to ask someone that you trust about me, and that person happens to know me well, then you would likely be inclined to trust what they say about me. In the digital world, a claim must be trusted by the dependant application or relying party application.  

To read more, check out the full blog here.

An Architecture for Claims Based Authorization in SharePoint

I’ve spoken to many people recently about enabling Microsoft SharePoint 2010 to work with Claims to enhance both Authentication and Authorization in SharePoint. I’m finding that many people are still trying figure out where all the pieces fit in a SharePoint architecture that makes use of claims – there are new concepts to understand and often new infrastructure to be configured. Overall the concepts tend to be easier to understand than people realize once they dig into them a little. This article is designed to explain the concepts and applications required in one example of a SharePoint 2010 architecture which enables Claims Based Authentication and Authorization. Lets start with a diagram of what a SharePoint server architecture that uses Claims can potentially look like. 

To read more, check out my full blog here.


Configuring SharePoint 2010 with ADFSv2 to Retrieve Claims

When configuring SharePoint 2010 for claims based authentication or authorization you typically need to connect to an identity provider to retrieve user attributes as claims. To really see all the benefits of claims in the enterprise, we need to ensure that our SharePoint Server trusts the claims its receiving, and that often means configuring it to connect to a “trusted identity provider”. One such server application that can act as a trusted identity provider is Microsoft Active Directory Federation Services version 2.0 (ADFSv2). ADFSv2 is often also referred to as a ’secure token server’ because it plays the role of retrieving user attributes from Active Directory (or some other LDAP directory or data store), wrapping them up in a SAML token, digitally signing that token and returning it to the calling application – in this case SharePoint 2010. Configuring ADFSv2 in such scenarios can be tricky and unforgiving, and this article focuses on 1 particular part of that configuration – the Realm.

To read more, check out my full blog here.

Part 1: Claim Rules - Claims Based Security in SharePoint 2010 with ADFSv2

In general, claim rules can be used to centrally evaluate, transform or augment claims before they are returned to a relying party application like SharePoint. Microsoft Active Directory Federation Services version 2.0 (ADFSv2) can act as a trusted identity provider to SharePoint and other relying party apps.  It provides a great interface with templates for creating and editing claim rules as part of its management console.  As well, it provides a ‘claim rule language’ that can be used to configure detailed policies with very specific conditions. This allows us to configure specific claims to be retrieved under very specific conditions, and thereby enforce very specific security policies for authentication and authorization.
This series of articles talks in detail about how to use this mechanism to enforce dynamic access control policies within SharePoint 2010 and, it illustrates how these policies relate to particular industries and regulations in SharePoint.

To read more, check out my full blog here.

Part 2: Claim Rule Language - Claims Based Security in SharePoint with ADFSv2

In a recent post I introduced the concept of claim rules within Microsoft Active Directory Federation Services 2.0 (ADFSv2) and the templates it provides.  Claim rules can be used to easily evaluate, transform or augment claims before they are returned to a relying party application like SharePoint.  In this post, the second in the series, we dive into ADFSv2’s Claim Rule Language and how it can be used to issue claims under more specific conditions, retrieve attributes from external data sources and implement some unique scenarios. This post is only going to deal with ‘issuing outgoing claims’.  These are claims that ADFSv2 will return to a relying party application.  It is important to note that ADFSv2 has a set of incoming claims (and those can be configured) that our claim rules will refer to as part of their conditions, and it has a set of outgoing claims that will be returned to SharePoint in this case.

To read more, check out my full blog here.

Part 3: Checking Multiple Groups - Claims Based Security in SharePoint with ADFSv2

Implementing claims based authorization in SharePoint 2010 provides great alternatives to using security groups in order to control access to sensitive content in SharePoint.  Traditionally, security groups have been used to restrict access to content or to enforce a role based security mechanism.  However, organizations are quickly finding that security groups, whether they are SharePoint groups or Active Directory groups, do not scale well in large enterprise environments.  Many enterprises already have large numbers of groups deployed, so how can those organizations still make use of those groups to enforce advanced security policies without complicating group management further?  As well, how can they check membership to multiple groups in order to allow access to sensitive content? This article focuses on using claim rules in Active Directory Federation Services version 2 (ADFSv2) as an efficient mechanism to enforce security policies in SharePoint based on group membership.

To read more, check out my full blog here.

Building a Custom Claim Provider to Manage Security Clearances

Microsoft SharePoint 2010, with its built-in support for retrieving trusted attributes about a user upon login (or what is commonly referred to as claims), can be used to authenticate users and authorize access to content. As I’ve written about previously, this allows businesses to implement new and interesting information protection policies. SharePoint also allows us to build and deploy custom claim providers that can retrieve attributes from a wide variety of sources and transform them in order to enforce specific policies within SharePoint. This article will walk through a simple example of building a custom claim provider and review some of the technical considerations that need to be taken into account.

To read more, check out my full blog here.

Using AD Groups in a Claims Based Web Application

I ran across an interesting little side effect of altering my claims enabled web application in SharePoint 2010 the other day I thought would be useful for others to know about. The situation has to do with accessing AD Groups from within the SharePoint people picker in a claims enabled environment.

To read more, check out my full blog here.

RSA 2012 Wrap Up and Observations – Identity is Critical for Authorization

Reflecting on the incredible conference that was RSA 2012 last week, you can easily see how Identity has become critical to implementing real-world authorization scenarios in many businesses and government/military departments. There were many hot topics at RSA this year including: Cloud, Mobile and of course APTs (advanced persistent threats). With 22,000 attendees it was easy to get overwhelmed with the myriad of sessions and solution providers. However, Identity or using aspects of a user’s identity specifically for authorizing access to information or resources was everywhere. I gave session at RSA this year entitled Using Claims for Authorization in SharePoint, MS Outlook, Windows 8 and the Cloud. Thanks to everyone that attended. Keep reading to access my presentation deck from that session.

To read more, check out my full blog here.

Thanks for reading.  Let me know if you find any of the topics particularly interesting, if you have any comments, or if you'd like to see some specific topics covered in new articles.