Follow me on Twitter @AntonioMaio2

Saturday, March 7, 2015

SharePoint Saturday Dallas: Developing Custom Claim Providers to Enable Authorization in SharePoint

Thanks to everyone that attended my session today at SharePoint Saturday DFW.  It was great to present on a development oriented topic, which I haven't done in a while.  We had a nice group and I was very happy to get to talk to some of you afterwards.

As promised the slides can be found here:  


Developing Custom Claim Providers to Enable Authorization in SharePoint






If you have any other questions, please feel free to reach out to me either here or on Twitter at: @AntonioMaio2.  I'd be happy to connect.

Thanks again,
   -Antonio

From the Archives: How do I know which claims were retrieved?

[Originally posted April 2013 - I've been asked a few questions on this recently so thought it was worth reposting.  Screen shots are from SharePoint 2010, but this still works in 2013. Enjoy!]


Many people know that I do a lot of work with Claims in SharePoint.  Claims based authentication was introduced in SharePoint 2010 for the purpose of both authentication and authorization.  SharePoint 2013 has only strengthened its use of claims by making Claims Based Authentication the default authentication mechanism, and relegating Classic Mode Authentication to only configurable through PowerShell. 


For a while, I've been a big proponent of using claims based authentication/authorization in general, and I tend to specialize in using claims for various security related purposes within SharePoint.  When working on enforcing security policies in SharePoint, you often get into a situation where you need to figure out why a particular policy is not doing what you expected it to do.  Sometimes its simply because the correct claim types or claim values were not retrieved.  As well, sometimes you need to figure out why your claims based authentication is not working the way you expected - again, this can simply because the claim values returned were not configured correctly for the user that is logging in.


Question is: When logged into SharePoint how do I know which claims were retrieved? 



To answer this, there is a free tool available from Microsoft that has been indispensable in helping with this kind of analysis.  The tool was created by Steve Peschka of Microsoft, so big shout out to him for writing it and making it freely available.  Its called the "SharePoint Claims Web Part".  A few people have been asking me about it recently - its a pretty simple process but I thought a blog post that goes into detail about where you get it and how you configure it would be useful.

Download

First, the web part must be downloaded from here. 

Install to the GAC

Next step is to install the included DLL to the GAC:



1.       Copy “SharePointClaims.dll” to each SharePoint web front end server in the farm (i.e. c:\SharePointClaims\)


2.       Open a command window (make sure you do this as an administrator) and navigate to the location where the file has been copied


3.       Run the command:   gacutil -if SharePointClaims.dll



Configure the Web Part

Next we must configure the web part to appear where we want it to appear.  I typically display it on the home page of the site collection I'm logging into so that its the first thing I see.  Here are the steps to do that:



1.       On each SharePoint web front end server, navigate to the physical directory where the web application is located (i.e. “C:\inetpub\wwwroot\wss\VirtualDirectories\443”) and open the web.config file.


2.       Add the following SafeControl entry to the web application's web.config file on all web front ends you are using:
<SafeControl Assembly="SharePointClaims, Version=1.0.0.0, Culture=neutral, PublicKeyToken=d01fae4d46160aca" Namespace="SharePointClaims" TypeName="ClaimWP" Safe="True" AllowRemoteDesigner="True" SafeAgainstScript="False" />




3.       Issue an IISRESET using the command window.

4.       Log in to the SharePoint site using a Site Collection Administrator account and go to Site Settings.

 

5.       Select Web Parts under Galleries.



 

6.       In “Library Tools” select “Upload a Document”.


7.       Browse for the location of the file “SharePointClaims.webpart”.


8.       Accept the default settings.
 
9.   Navigate to the SharePoint page in which you want to view the claims retrieved.  Again, I usually add the web part to the Home site collection page, so its the first thing I see after logging in.  However, if you are deploying this to a production farm, you may want to add it to a site page that end users typically do not see.
 
10. Click Site Settings, then Edit Page, then the Insert Tab, and then the Web Part button in the ribbon.  Now click Add a Web Part.
 
 

11. Select “Miscellaneous” on the left panel, select “SharePoint Claims Web Part” in the middle panel and click “Add”.
 

 

12. The web part will appear. On the Page tab, click “Stop Editing” to return to the normal view.



     
The web part will now appear as follows and you can see all of the claims that were returned from any claims provider (trusted identity provider or custom claim provider) that SharePoint is configured with.
 
Hope this is helpful.
      -Antonio