Implementing adfs & hybrid sp

Implementing ADFS andHybrid SharePoint

#spsosloThorbjørn VærpMay 31st, 2014

Platinum

SharePint

Raffle

Platinum

Gold

Thanks to our Sponsors!

About me

Thorbjørn VærpPrincipal Consultant & Regional Manager PuzzlepartKristiansand, Norway

www.Sharepoint13.net | @vaerpn

Celebrating 21 years IT-pro, 11 of them in SPMCT | XVC

Agenda

• History• Claims-based authentication• ADFS & SharePoint 2013

HISTORY

#spsoslo

Lingo

• An open standard for authentication• Similar architecture to WS-*• OpenID authentication used by PayPal, Google,

VeriSign, Twitter +

• An open standard for authorization• Method for clients to access server resources on behalf of a

resource owner• Oauth has no signing or encryption (it relies only on ssl for

opacity)• Wide adoption, Facebook, Twitter, Microsoft, DropBox,

Amazon, Instagram, Google• Two version, 1.0 & 2.0 –no backwards compability.

Traditional authentication mechanisms

• Anonymous• Basic• NTLM / Kerberos (WIA)• Forms based AuthN

Cannot tra

verse

firewalls

or

proxie

s!!!

The problem with authentication

• Current technologies do not work well on the Internet (NTLM, Kerberos etc.)

• Several and different user stores (AD, LDAP, eDir)• Relies on your particular platform• Authentication had to be handled and understood by the

developers, (whose time is better spent developing the application)• Each new authentication scheme required chaning the code

Claims-based identity

#spsoslo

What is claims-based identity?

• Abstraction layer (indirection)• A claim is an authoritative statement about a subject made by an

entity• A claim can be anything (not just security information) that can be

associated with a subject• Name | Age | Group membership | Role

• A claim is always associated with the entity that issued it• There are several claim standards • Claims are stored and transmitted in security tokens











Subject

Claims

Issuer / Security Token Service

Claims in SharePoint 2013

3 types of claim providers

WindowsTrusted Provider (SAML)Forms Based AuthN

Multiple AuthN providers possible in the same zoneClassic mode only via PowerShell

Claims in SharePoint 2013

• SP 2013 has its own STS implementation• The SP 2013 Federation Metadata is in JSON, not XML• Both Classic authentication mode (WIA) and claims mode

(WIA/FBA/SAML) is supported, but claims is the default• In claims mode every form of AuthN is transformed to a SAML token

SAML-based Claims in SP2013

Authentication process








ADFS & SharePoint 2013 #spsoslo

Grocery list

• 4 Public Certificates + (eg.RapidSSL)• Fs3.vaerpn.com• Sp.vaerpn.com• Tokensign.vaerpn.com• Decrypt.vaerpn.com

• Reverse proxy, (WEP, F5, Netscaler, Azure Endpoints,)• Update public DNS• Update internal DNS• ADFS server, one or more• SharePoint 2013

Step by Step

The Environment• We got AD with a routable domain | vaerpn.com, externaly

registered.• Enterprise Admin access AD DS & available admin e-mail• SP 2013 with SQL server• Firewall/ReverseProxy or Azure• One or more Win2012 R2 domain joined servers to add ADFS

3.0 RoleWhat to do:

1.Get those Certificates, 2. Add ADFS Role, 3. Configure ADFS & Certificates 4. Configure Claim Rule, 5: Add RelayingParty Identifier, 6. Create & Connect SP Trusted Identity Provider.

Certificates ToDo

#spsoslo

1.Get t

hose C

ertifi

cate

s

Copy this

Certifica

te to

the A

DFS serv

er

Do this

on the A

DFS serv

er

Repeat until you have at minimum 4 certificates:

adfs.vaerpn.com -> for ADFS service signing.vaerpn.com ->for token signingdecrypt.vaerpn.com ->for decrypt (not used by SP but a prereq)sp.vaerpn.com ->for SSL on SharePoint web app (one pr.web app)

Install ADFS

#spsoslo

2. Add A

DFS

Role

2. Add A

DFS

Role

2. Add A

DFS

Role

2. Add A

DFS

Role

2. Add A

DFS

Role

Configure ADFS

#spsoslo

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Configure

ADFS

3. Test

ADFS

3. Configure

ADFS

3. Configure

ADFS

Configure ClaimRule

#spsoslo

4. Configure

Cla

im R

ule

4. Configure

Cla

im R

ule

AddRelayingParty

Identifier

#spsoslo

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

5. Add R

elayi

ng Part

y

Identifi

er

Export the Token signing

certificate

Export

the to

ken si

gning ce

rt

• Copy this to the SharePoint WFE

Export

the to

ken si

gning ce

rt

Create & Connect SP

trusted Identity Provider

Do this

on the S

P WFE se

rver

6. Cre

ate &

Connect

SP

trust

ed

Id

entity

Provi

der

-> Run this-> Check this

6. Cre

ate &

Connect

SP

trust

ed

Id

entity

Provi

der

6. Cre

ate &

Connect

SP

trust

ed

Id

entity

Provi

der

6. Cre

ate &

Connect

SP

trust

ed

Id

entity

Provi

der

6. Cre

ate &

Connect

SP

trust

ed

Id

entity

Provi

der

6. Cre

ate &

Connect

SP

trust

ed

Id

entity

Provi

der

DemoWalk around & Customize

Wrap Up

HistoryWS-*, OpenID, OpenAuth, David Wheeler "All problems in computer science can be solved by another level of indirection."

Claims-based IdentityA claim is an authoritative statement about a subject made by an entity. In claims mode every form of AuthN is transformed to a SAML token

ADFS & SharePoint 2013ADFS 3.0 no IIS. Always use public certificates, plan stuff, Must use PowerShell

Q&AThank You!

@vaerpn#spsoslo

Date post:	08-Jun-2015
Category:	Presentations & Public Speaking
Upload:	thorbjorn-vaerp
View:	149 times
Download:	3 times

Implementing adfs & hybrid sp

Presentations & Public Speaking