Implementing adfs & hybrid sp

transcript

Implementing ADFS andHybrid SharePoint

#spsosloThorbjørn VærpMay 31st, 2014

Platinum

SharePint

Raffle

Platinum

Thanks to our Sponsors!

About me

Thorbjørn VærpPrincipal Consultant & Regional Manager PuzzlepartKristiansand, Norway

www.Sharepoint13.net | @vaerpn

Celebrating 21 years IT-pro, 11 of them in SPMCT | XVC

Agenda

• History• Claims-based authentication• ADFS & SharePoint 2013

HISTORY

#spsoslo

• An open standard for authentication• Similar architecture to WS-*• OpenID authentication used by PayPal, Google,

VeriSign, Twitter +

• An open standard for authorization• Method for clients to access server resources on behalf of a

resource owner• Oauth has no signing or encryption (it relies only on ssl for

opacity)• Wide adoption, Facebook, Twitter, Microsoft, DropBox,

Amazon, Instagram, Google• Two version, 1.0 & 2.0 –no backwards compability.

Traditional authentication mechanisms

• Anonymous• Basic• NTLM / Kerberos (WIA)• Forms based AuthN

Cannot tra

firewalls

proxie

The problem with authentication

• Current technologies do not work well on the Internet (NTLM, Kerberos etc.)

• Several and different user stores (AD, LDAP, eDir)• Relies on your particular platform• Authentication had to be handled and understood by the

developers, (whose time is better spent developing the application)• Each new authentication scheme required chaning the code

Claims-based identity

#spsoslo

What is claims-based identity?

• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an

entity• A claim can be anything (not just security information) that can be

associated with a subject• Name | Age | Group membership | Role

• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens

Subject

Claims

Issuer / Security Token Service

Claims in SharePoint 2013

3 types of claim providers

WindowsTrusted Provider (SAML)Forms Based AuthN

Multiple AuthN providers possible in the same zoneClassic mode only via PowerShell

Claims in SharePoint 2013

• SP 2013 has its own STS implementation• The SP 2013 Federation Metadata is in JSON, not XML• Both Classic authentication mode (WIA) and claims mode

(WIA/FBA/SAML) is supported, but claims is the default• In claims mode every form of AuthN is transformed to a SAML token

SAML-based Claims in SP2013

Authentication process

ADFS & SharePoint 2013 #spsoslo

Grocery list

• 4 Public Certificates + (eg.RapidSSL)• Fs3.vaerpn.com• Sp.vaerpn.com• Tokensign.vaerpn.com• Decrypt.vaerpn.com

• Reverse proxy, (WEP, F5, Netscaler, Azure Endpoints,)• Update public DNS• Update internal DNS• ADFS server, one or more• SharePoint 2013

Step by Step

The Environment• We got AD with a routable domain | vaerpn.com, externaly

registered.• Enterprise Admin access AD DS & available admin e-mail• SP 2013 with SQL server• Firewall/ReverseProxy or Azure• One or more Win2012 R2 domain joined servers to add ADFS

3.0 RoleWhat to do:

1.Get those Certificates, 2. Add ADFS Role, 3. Configure ADFS & Certificates 4. Configure Claim Rule, 5: Add RelayingParty Identifier, 6. Create & Connect SP Trusted Identity Provider.

Certificates ToDo

#spsoslo

1.Get t

hose C

ertifi

Copy this

Certifica

DFS serv

Do this

on the A

DFS serv

Repeat until you have at minimum 4 certificates:

adfs.vaerpn.com -> for ADFS service signing.vaerpn.com ->for token signingdecrypt.vaerpn.com ->for decrypt (not used by SP but a prereq)sp.vaerpn.com ->for SSL on SharePoint web app (one pr.web app)

Install ADFS

#spsoslo

2. Add A

Configure ADFS

#spsoslo

3. Configure

3. Test

3. Configure

Configure ClaimRule

#spsoslo

4. Configure

AddRelayingParty

Identifier

#spsoslo

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

5. Add R

ng Part

Identifi

Export the Token signing

certificate

Export

the to

ken si

gning ce

• Copy this to the SharePoint WFE

Export

the to

ken si

gning ce

Create & Connect SP

trusted Identity Provider

Do this

on the S

P WFE se

6. Cre

Connect

entity

-> Run this-> Check this

6. Cre

Connect

entity

6. Cre

Connect

entity

6. Cre

Connect

entity

6. Cre

Connect

entity

6. Cre

Connect

entity

DemoWalk around & Customize

Wrap Up

HistoryWS-*, OpenID, OpenAuth, David Wheeler "All problems in computer science can be solved by another level of indirection."

Claims-based IdentityA claim is an authoritative statement about a subject made by an entity. In claims mode every form of AuthN is transformed to a SAML token

ADFS & SharePoint 2013ADFS 3.0 no IIS. Always use public certificates, plan stuff, Must use PowerShell

Q&AThank You!

@vaerpn#spsoslo

Implementing adfs & hybrid sp

Presentations & Public Speaking