Date post: | 29-Nov-2014 |
Category: |
Technology |
Upload: | envision-it |
View: | 162 times |
Download: | 1 times |
SharePoint Extranet Spring Webinar Series
Federation and SharePoint On Premise
Presented by Peter CarsonPresident, Envision IT
April 8, 2014
Peter Carson
• President, Envision IT
• SharePoint MVP
• Virtual Technical Specialist, Microsoft Canada
• http://blog.petercarson.ca
• www.envisionit.com
• Twitter @carsonpeter
• VP Toronto SharePoint User Group
Peter Mackenzie
• VP Sales & Marketing
• e: [email protected]
• p: (905) 812-3009 x244
• President, International Association of Microsoft Certified Partners (IAMCP) Canada
Product Support
Corey Thokle, EUM Support Manager
• e: [email protected]
• p: (905) 812 3009 ext.248
• http://www.linkedin.com/company/envision-it-inc
Amanda Da Costa, Sales & Marketing Support
• e: [email protected]
• p: (905) 812 3009 ext.250
• http://ca.linkedin.com/in/amandadacosta/
Agenda
• Envision IT Overview
• SharePoint On Premises Authentication Options
• What is Federation and how does it work?
• Demo Scenario
• SharePoint App Authentication Alternatives
• Wrap-Up and Q&A
Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Extranet Spring Webinar Series-Extranet User Provisioning
Online
May 6 SharePoint Extranet Spring Webinar Series-Extranet Customer Case Studies
Online
May 7 Cloud Business Apps European SharePoint ConferenceBarcelona, Spain
May 8 Office 365 REST APIs European SharePoint ConferenceBarcelona, Spain
May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada
May 27 Cloud Business Apps Toronto SharePoint SummitToronto, Canada
June 18 SharePoint Extranet Full Day Workshop SharePoint FestNew York City
June 20 Building a Web Site on SharePoint 2013 SharePoint FestNew York City
www.envisionit.com/events
Focused on complex SharePoint solutions, Envision IT is the “go-to” partner for Microsoft SharePoint, building integrated public web sites, Intranets, Extranets, and web applications that leverage your existing systems anywhere over the Internet.
Envision IT Services Overview
Public Web Sites
We create interactive, content-rich customer-facing web sites that are able to grow and transform with changing needs
Collaboration Portals
Our Collaboration Portals provide a secure space for teams to share knowledge and resources
Extranets
Envision IT has a wealth of experience building Corporate Extranets that allow you to securely connect with customers and partners
Intranets
Our Intranet Sites connect people to information, expertise and key business applications, and SharePoint provides a broad set of Enterprise Content Management features
Products
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and sign-on for AD
Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assurance provides all product updates
• Dev and QA farm licenses provided with up to date Software Assurance
Extranet Clients
Microsoft SharePoint
Poll 1
Which Version of SharePoint are you currently using?
• SharePoint Server 2013
• Office 365
• SharePoint Server 2010
• SharePoint Foundation (2010 or 2013)
• MOSS 2007 or WSS 3.0
Poll 2
How do you use SharePoint today?
• Internal collaboration
• Internal web publishing (Intranet)
• Extranets
• Public facing website
Identity Management, Authentication, and Authorization
Identity Management
• Process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services
• For our purposes we are focused just on people
• Who creates and manages identities? The Extranet owner or the external users themselves?
• Are identities part of the Extranet or external to it?
Authentication and Authorization
• Authentication is the mechanism whereby systems may securely identify their users
• Authentication systems provide an answers to the questions: Who is the user?
Is the user really who he/she represents himself to be?
• Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have Is user X authorized to access
resource R?
SharePoint On Premise Authentication Options
Windows Authentication
Active Directory
Windows ClaimsOr
Classic Mode
.NET Providers
Forms-Based Authentication
AD SQL
Claims
Relying Party
Federated Identity
Trusted Identity Provider
AD User Store
Claims
Trusted Identity Providers
• Active Directory Federation Services (ADFS)
• Thinktecture Identity Server
• Social Identities
Microsoft Account
Google+
Authentication Providers
SharePoint Infrastructure
• SharePoint Farm (one or more servers)
Web Application
o Site Collection– Subsites
» Lists and Libraries
Application Pools
IIS Sites
Content Databases
Web Application Zones
• Authentication methods are defined for each zone of a web application
• Each web app can have up to five zones Default
Intranet
Extranet
Internet
Custom
• Multiple authentication methods can be applied to a single zone
When to Use Zones
• In general we recommend not to use multiple zones• Everyone (internal and external users) should share a
single https url (https://portal.contoso.com)• Confusion results otherwise
Emailed links are broken for some of your users Workflows, tasks, and alerts point to the wrong URL
(unless you are in the Default zone)
• The only exception is where you also need an anonymous http zone Mixed public and private sites This is the only scenario that Microsoft recommends Secure https zone should always be the default zone
Authentication Chooser
• Users decides what method to use to authenticate
• Goal should be to hide this from the user
Use the IP address
Check the email domain of the login email address
SharePoint 2010/2013 Infrastructure
One Way Trust
EZ-Login FBA and LDAP
EZ Login FBA and LDAP Externally
EZ-Login FBA External User
Federated Identity
• Trusted Identity Provider does the authentication• Can be any SAML compliant provider
Active Directory Federation Services Thinktecture Identity Server
o www.thinktecture.com
Social identities
• Can be AD, SQL, or other user repository under the hood• Relying parties (such as SharePoint) trust the SAML token
and provide the authorization based off that identity• Provides Single Sign-On to multiple systems
Can be any SAML claims compliant system, not just SharePoint
Federation
Internal Firewall Port Requirements
Windows Auth• 123/UDP - W32Time• 135/TCP - RPC Endpoint
Mapper• 464/TCP/UDP - Kerberos
password change• 49152-65535/TCP - RPC
for LSA, SAM, Netlogon(*)
• 389/TCP/UDP - LDAP• 636/TCP - LDAP SSL• 3268/TCP - LDAP GC• 3269/TCP - LDAP GC SSL• 53/TCP/UDP - DNS• 49152 -65535/TCP - FRS
RPC (*)• 88/TCP/UDP - Kerberos• 445/TCP - SMB• 49152-65535/TCP - DFSR
RPC (*)
Federation• No internal ports
required• Done through trusted,
signed tokens passed through browser posts
• May still want to open port 443 for internal users to log in through ADFS externally
FBA• LDAP 389
• LDAPS 636
• SMB 445
http://support.microsoft.com/kb/179442#method4
Active Directory Federation Services
• ADFS 1.0 Windows Server 2003
• ADFS 1.1 Windows Server 2008
• ADFS 2.0 Minimum to be used with SharePoint Free download Windows Server 2008 SP2 minimum ADFS Proxy is used in the DMZ to expose externally
• ADFS 2.1 Windows Server 2012 Role ADFS Proxy is used in the DMZ to expose externally
• ADFS 3.0 Windows Server 2012 R2 Role Web Application Proxy is used in the DMZ to expose externally
Mixed Mode Extranet
Federation FBA
ADFS Externally
ADFS ProxyWeb Application Proxy
Authentication ProcessIdentity ProviderRelying Party Active Directory
Browse app
Not authenticated
Redirected to IP
Authenticate
User
Query for user attributesReturn SAML Security Token
Return pageand cookie
Send Token
ST
ST
RP trusts IP
Certificates
• PKI SSL encryption is used for communication
• Token can be self-signed by the Identity Provider
• Token can also be encrypted with a self-signed certificate from the Identity Provider
CommunicationA
Signing
Relying party Identity Provider
ST
Encyption ST
B
Public key of C C
Public key of DD
Root for ARoot for B
ADFS Servers
Internal ADFS/DC Servers DMZ ADFS ProxiesWeb Application Proxy
ADFS Login Form
• Internal users shouldn’t see this
• Can be branded, within limits
Poll 3
What type of federation do you leverage today?
• ADFS
• Social identities (Facebook, Google, etc.)
• Other identity solution
• None
External User Federation
Demo Scenario
• Sample site at https://thinktecturedev.eitdev.org
• SharePoint 2013 on premises
• Windows Auth for internal users
• External users
In a separate AD
Authenticating through Thinktecture Identity Server
Managed with the Envision IT Extranet User Manager
Why Thinktecture over ADFS?
• Open source allows any customization
• Fully brandable (ADFS allows branding within very particular parameters)
• Login with email address instead of AD username
• Use SQL instead of AD as the underlying user repository
• Ability to incorporate the home realm discovery into the login form
• Easy delegation of user management to business
• Self-registration, approvals, forgotten password reset
• Single URL and sign-on
Extranet User Manager
Main Components
• Administration console Used by IT to configure EUM
Used by the business to manage users and groups
• End User Components that the Extranet users see
Login, disclaimer, change password, forgotten password
• Registration Allow users to self-register
Support approval workflows
Managing Your External Users with EUM
• Delegate user management internally or externally to your organization
• Self-registration and approvals
• Full control over the accounts and login experience
• Delegated group management simplifies permissions
• Lost password reset
• Improved governance over your Extranet
Registration
Approval Email
Approve the User
Welcome Email
Set Your Password
Login
Forgotten Password
Demo
Apps and SharePoint 2013
• Three main types of Apps
SharePoint Hosted
o Client side code only
Auto Hosted
o Server code runs in an Azure instance provided by Office 365
o Only applies to Office 365
Provider Hosted
o Use your own server environment to host your server side code
o Doesn’t need to be Microsoft technology
Apps and SharePoint 2013
• No App code ever runs on the SharePoint farm
• Apps are selected and installed by the end user
• Need to explicitly trust the app to allow it to run
• OAuth is used to provide the end-user’s authentication to the app and back to SharePoint
Challenges with SharePoint Apps
• For full functionality, apps need to be installed in each site where they are being used
• No way to programmatically install them
• This is a problem for apps that are used on many sites
Alternative App Model
• Client side code and REST APIs is the direction Microsoft is taking in general
• Use this approach for Apps too• If SharePoint is authenticated using Thinktecture, that
can be leveraged to authenticate provider hosted apps too
• Thinktecture can provide a JSON Web Token (JWT) to the client-side code Similar to a SAML token It is the model going forward with WebAPI
• This can be passed to and trusted by the REST API for authentication
App Authentication Process with JWTProvider AppClient Side Code Thinktecture
Browse app
No JWT
Redirected to IP
User
Return JWT Security Token
Return page
REST call with Token
JWT
JWT
App trusts IP
Save Token in session
Return JSON data
JWT
Poll 4
When would you like us to follow up?
• Right away
• May
• June
Upcoming Sessions
Date Event Location
April 16 Nintex Workflows and Forms at TSPUG Toronto, Canada
April 22 SharePoint Extranet Spring Webinar Series-Extranet User Provisioning
Online
May 6 SharePoint Extranet Spring Webinar Series-Extranet Customer Case Studies
Online
May 7 Cloud Business Apps European SharePoint ConferenceBarcelona, Spain
May 8 Office 365 REST APIs European SharePoint ConferenceBarcelona, Spain
May 12 SharePoint Federation and Extranet Workshop Mississauga, Canada
May 27 Cloud Business Apps Toronto SharePoint SummitToronto, Canada
June 18 SharePoint Extranet Full Day Workshop SharePoint FestNew York City
June 20 Building a Web Site on SharePoint 2013 SharePoint FestNew York City
www.envisionit.com/events
Pricing
• $8,000 per production SharePoint farm
• No limits on the number of web front ends
• 20% annual Software Assurance provides all product updates
• Dev and QA farm licenses provided with up to date Software Assurance
Links
• www.envisionit.com
• blog.petercarson.ca
• www.envisionit.com/eum
• Video and presentation deck will be at www.envisionit.com/events
Questions?