SharePoint Extranet Spring Webinar Series

Federation and SharePoint On Premise

Presented by Peter CarsonPresident, Envision IT

April 8, 2014

Peter Carson

• President, Envision IT

• SharePoint MVP

• Virtual Technical Specialist, Microsoft Canada

• peter@envisionit.com

• http://blog.petercarson.ca

• www.envisionit.com

• Twitter @carsonpeter

• VP Toronto SharePoint User Group

Peter Mackenzie

• VP Sales & Marketing

• e: pmackenzie@envisionit.com

• p: (905) 812-3009 x244

• President, International Association of Microsoft Certified Partners (IAMCP) Canada

Product Support

Corey Thokle, EUM Support Manager

• e: cthokle@envisionit.com

• p: (905) 812 3009 ext.248

• http://www.linkedin.com/company/envision-it-inc

Amanda Da Costa, Sales & Marketing Support

• e: adacosta@envisionit.com

• p: (905) 812 3009 ext.250

• http://ca.linkedin.com/in/amandadacosta/

Agenda

• Envision IT Overview

• SharePoint On Premises Authentication Options

• What is Federation and how does it work?

• Demo Scenario

• SharePoint App Authentication Alternatives

• Wrap-Up and Q&A

Upcoming Sessions

Date Event Location

April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada

April 22 SharePoint Extranet Spring Webinar Series-Extranet User Provisioning

Online

May 6 SharePoint Extranet Spring Webinar Series-Extranet Customer Case Studies

Online

May 7 Cloud Business Apps European SharePoint ConferenceBarcelona, Spain

May 8 Office 365 REST APIs European SharePoint ConferenceBarcelona, Spain

May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada

May 27 Cloud Business Apps Toronto SharePoint SummitToronto, Canada

June 18 SharePoint Extranet Full Day Workshop SharePoint FestNew York City

June 20 Building a Web Site on SharePoint 2013 SharePoint FestNew York City

www.envisionit.com/events

Focused on complex SharePoint solutions, Envision IT is the “go-to” partner for Microsoft SharePoint, building integrated public web sites, Intranets, Extranets, and web applications that leverage your existing systems anywhere over the Internet.

Envision IT Services Overview

Public Web Sites

We create interactive, content-rich customer-facing web sites that are able to grow and transform with changing needs

Collaboration Portals

Our Collaboration Portals provide a secure space for teams to share knowledge and resources

Extranets

Envision IT has a wealth of experience building Corporate Extranets that allow you to securely connect with customers and partners

Intranets

Our Intranet Sites connect people to information, expertise and key business applications, and SharePoint provides a broad set of Enterprise Content Management features

Products

• Easy delegation of user management to business

• Self-registration, approvals, forgotten password reset

• Single URL and sign-on for AD

Pricing

• $8,000 per production SharePoint farm

• No limits on the number of web front ends

• 20% annual Software Assurance provides all product updates

• Dev and QA farm licenses provided with up to date Software Assurance

Extranet Clients

Microsoft SharePoint

Poll 1

Which Version of SharePoint are you currently using?

• SharePoint Server 2013

• Office 365

• SharePoint Server 2010

• SharePoint Foundation (2010 or 2013)

• MOSS 2007 or WSS 3.0

Poll 2

How do you use SharePoint today?

• Internal collaboration

• Internal web publishing (Intranet)

• Extranets

• Public facing website

Identity Management, Authentication, and Authorization

Identity Management

• Process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services

• For our purposes we are focused just on people

• Who creates and manages identities? The Extranet owner or the external users themselves?

• Are identities part of the Extranet or external to it?

Authentication and Authorization

• Authentication is the mechanism whereby systems may securely identify their users

• Authentication systems provide an answers to the questions: Who is the user?

Is the user really who he/she represents himself to be?

• Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have Is user X authorized to access

resource R?

SharePoint On Premise Authentication Options

Windows Authentication

Active Directory

Windows ClaimsOr

Classic Mode

.NET Providers

Forms-Based Authentication

AD SQL

Claims

Relying Party

Federated Identity

Trusted Identity Provider

AD User Store

Claims

Trusted Identity Providers

• Active Directory Federation Services (ADFS)

• Thinktecture Identity Server

• Social Identities

Facebook

Linkedin

Microsoft Account

Google+

Authentication Providers

SharePoint Infrastructure

• SharePoint Farm (one or more servers)

Web Application

o Site Collection– Subsites

» Lists and Libraries

Application Pools

IIS Sites

Content Databases

Web Application Zones

• Authentication methods are defined for each zone of a web application

• Each web app can have up to five zones Default

Intranet

Extranet

Internet

Custom

• Multiple authentication methods can be applied to a single zone

When to Use Zones

• In general we recommend not to use multiple zones• Everyone (internal and external users) should share a

single https url (https://portal.contoso.com)• Confusion results otherwise

Emailed links are broken for some of your users Workflows, tasks, and alerts point to the wrong URL

(unless you are in the Default zone)

• The only exception is where you also need an anonymous http zone Mixed public and private sites This is the only scenario that Microsoft recommends Secure https zone should always be the default zone

Authentication Chooser

• Users decides what method to use to authenticate

• Goal should be to hide this from the user

Use the IP address

Check the email domain of the login email address

SharePoint 2010/2013 Infrastructure

One Way Trust

EZ-Login FBA and LDAP

EZ Login FBA and LDAP Externally

EZ-Login FBA External User

Federated Identity

• Trusted Identity Provider does the authentication• Can be any SAML compliant provider

Active Directory Federation Services Thinktecture Identity Server

o www.thinktecture.com

Social identities

• Can be AD, SQL, or other user repository under the hood• Relying parties (such as SharePoint) trust the SAML token

and provide the authorization based off that identity• Provides Single Sign-On to multiple systems

Can be any SAML claims compliant system, not just SharePoint

Federation

Internal Firewall Port Requirements

Windows Auth• 123/UDP - W32Time• 135/TCP - RPC Endpoint

Mapper• 464/TCP/UDP - Kerberos

password change• 49152-65535/TCP - RPC

for LSA, SAM, Netlogon(*)

• 389/TCP/UDP - LDAP• 636/TCP - LDAP SSL• 3268/TCP - LDAP GC• 3269/TCP - LDAP GC SSL• 53/TCP/UDP - DNS• 49152 -65535/TCP - FRS

RPC (*)• 88/TCP/UDP - Kerberos• 445/TCP - SMB• 49152-65535/TCP - DFSR

RPC (*)

Federation• No internal ports

required• Done through trusted,

signed tokens passed through browser posts

• May still want to open port 443 for internal users to log in through ADFS externally

FBA• LDAP 389

• LDAPS 636

• SMB 445

http://support.microsoft.com/kb/179442#method4

Active Directory Federation Services

• ADFS 1.0 Windows Server 2003

• ADFS 1.1 Windows Server 2008

• ADFS 2.0 Minimum to be used with SharePoint Free download Windows Server 2008 SP2 minimum ADFS Proxy is used in the DMZ to expose externally

• ADFS 2.1 Windows Server 2012 Role ADFS Proxy is used in the DMZ to expose externally

• ADFS 3.0 Windows Server 2012 R2 Role Web Application Proxy is used in the DMZ to expose externally

Mixed Mode Extranet

Federation FBA

ADFS Externally

ADFS ProxyWeb Application Proxy

Authentication ProcessIdentity ProviderRelying Party Active Directory

Browse app

Not authenticated

Redirected to IP

Authenticate

User

Query for user attributesReturn SAML Security Token

Return pageand cookie

Send Token

ST

ST

RP trusts IP

Certificates

• PKI SSL encryption is used for communication

• Token can be self-signed by the Identity Provider

• Token can also be encrypted with a self-signed certificate from the Identity Provider

CommunicationA

Signing

Relying party Identity Provider

ST

Encyption ST

B

Public key of C C

Public key of DD

Root for ARoot for B

ADFS Servers

Internal ADFS/DC Servers DMZ ADFS ProxiesWeb Application Proxy

ADFS Login Form

• Internal users shouldn’t see this

• Can be branded, within limits

Poll 3

What type of federation do you leverage today?

• ADFS

• Social identities (Facebook, Google, etc.)

• Other identity solution

• None

External User Federation

Demo Scenario

• Sample site at https://thinktecturedev.eitdev.org

• SharePoint 2013 on premises

• Windows Auth for internal users

• External users

In a separate AD

Authenticating through Thinktecture Identity Server

Managed with the Envision IT Extranet User Manager

Why Thinktecture over ADFS?

• Open source allows any customization

• Fully brandable (ADFS allows branding within very particular parameters)

• Login with email address instead of AD username

• Use SQL instead of AD as the underlying user repository

• Ability to incorporate the home realm discovery into the login form

• Easy delegation of user management to business

• Self-registration, approvals, forgotten password reset

• Single URL and sign-on

Extranet User Manager

Main Components

• Administration console Used by IT to configure EUM

Used by the business to manage users and groups

• End User Components that the Extranet users see

Login, disclaimer, change password, forgotten password

• Registration Allow users to self-register

Support approval workflows

Managing Your External Users with EUM

• Delegate user management internally or externally to your organization

• Self-registration and approvals

• Full control over the accounts and login experience

• Delegated group management simplifies permissions

• Lost password reset

• Improved governance over your Extranet

Registration

Approval Email

Approve the User

Welcome Email

Set Your Password

Login

Forgotten Password

Demo

Apps and SharePoint 2013

• Three main types of Apps

SharePoint Hosted

o Client side code only

Auto Hosted

o Server code runs in an Azure instance provided by Office 365

o Only applies to Office 365

Provider Hosted

o Use your own server environment to host your server side code

o Doesn’t need to be Microsoft technology

Apps and SharePoint 2013

• No App code ever runs on the SharePoint farm

• Apps are selected and installed by the end user

• Need to explicitly trust the app to allow it to run

• OAuth is used to provide the end-user’s authentication to the app and back to SharePoint

Challenges with SharePoint Apps

• For full functionality, apps need to be installed in each site where they are being used

• No way to programmatically install them

• This is a problem for apps that are used on many sites

Alternative App Model

• Client side code and REST APIs is the direction Microsoft is taking in general

• Use this approach for Apps too• If SharePoint is authenticated using Thinktecture, that

can be leveraged to authenticate provider hosted apps too

• Thinktecture can provide a JSON Web Token (JWT) to the client-side code Similar to a SAML token It is the model going forward with WebAPI

• This can be passed to and trusted by the REST API for authentication

App Authentication Process with JWTProvider AppClient Side Code Thinktecture

Browse app

No JWT

Redirected to IP

User

Return JWT Security Token

Return page

REST call with Token

JWT

JWT

App trusts IP

Save Token in session

Return JSON data

JWT

Poll 4

When would you like us to follow up?

• Right away

• May

• June

Upcoming Sessions

Date Event Location

April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada

April 22 SharePoint Extranet Spring Webinar Series-Extranet User Provisioning

Online

May 6 SharePoint Extranet Spring Webinar Series-Extranet Customer Case Studies

Online

May 7 Cloud Business Apps European SharePoint ConferenceBarcelona, Spain

May 8 Office 365 REST APIs European SharePoint ConferenceBarcelona, Spain

May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada

May 27 Cloud Business Apps Toronto SharePoint SummitToronto, Canada

June 18 SharePoint Extranet Full Day Workshop SharePoint FestNew York City

June 20 Building a Web Site on SharePoint 2013 SharePoint FestNew York City

www.envisionit.com/events

Pricing

• $8,000 per production SharePoint farm

• No limits on the number of web front ends

• 20% annual Software Assurance provides all product updates

• Dev and QA farm licenses provided with up to date Software Assurance

Links

• www.envisionit.com

• blog.petercarson.ca

• www.envisionit.com/eum

• Video and presentation deck will be at www.envisionit.com/events

Questions?