SharePoint 2010 Extranets and Authentication:How will SharePoint 2010 connect you to your partners?

Brian Culver, MCM, MCPD

Solutions Architect

Expert Point Solutions

3/23/2010

Session Agenda

• Extranet Definition• Common Extranet Scenarios• Extranet Design Considerations &

Challenges• Claims Based Authentication and other

Authentication Scenarios• Mixed Mode vs. Multi-Authentication

Extranet - Definition

• A web application that is shared with external users, such as partners, vendors, and customers

• Common attributes for an extranet:• Sharing a private network or secured network• Requires authenticated access, but the identity of

the consumer is not always known• Has better security controls than an Internet Web

application but usually less secure than the Intranet Web application

Common Extranet Scenarios

Line of Business ApplicationsCollaborationStatic Content or Publishing

Remote Employees

Isolate and segregate internal data.Authorize to use only sites and data that are necessary for their contributions.Restrict partners from viewing other partners’ data.

Partners

Target ContentSegment content Limit content access and search results based on audience.

Vendors & Customers

Extranet Design Considerations & Challenges

• Network Topology and Access• Identity Management

– Seamless Single Sign-on Experience• Content Security and Access• Antivirus

– Client– Server

• Rich Client Experience (Office Integration)

Edge Firewall Topology

Internet Corporate Network

External Users

SharePoint Farm

InternalUsers

Back-to-Back Perimeter Topology

Internet Corporate Network

External Users

Web Front Ends

InternalUsers

App Servers Infrastructure Servers

Perimeter

Split Back-to-Back Topology

Internet Corporate Network

External Users

WFE

InternalUsers

App

Perimeter

Infra App Infra

Security Terms

• Authentication is the mechanism whereby systems may securely identify their users– Creates an identity for security principal– Who am I?

• Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system.– Determines what resources an identity has access to– What can I access?

SharePoint Authentication

• SharePoint does not authenticate– Windows authentication via Windows server and IIS

(Kerberos/NTLM)– FBA via ASP. NET and authentication providers (SQL,

LDAP, etc.)– Web SSO via Active Directory Federation Services (ADFS)

and other Identity Management Systems

• SharePoint creates user profiles– SPUser object represents security principal– User Profile List in Site Collections track user profiles

SharePoint 2010 Security

• SharePoint 2010 changes authentication– Uses classic mode and claims based authentication– Classic mode is SharePoint 2007 style legacy mode– Claims-based authentication is the new security model

• What are the benefits?– Claims decouples SharePoint from the authentication provider– Allows SharePoint to support multiple authentication providers per

URL– Identities can be passed without Kerberos delegation– Allows federation between organizations– ACLs can be configured with DLs, Audiences and OUs

Identity Normalization

NT TokenWindows Identity

ASP.NET (FBA)SQL, LDAP, Custom …

SAML TokenClaims Based

Identity

SPUser

NT TokenWindows Identity

SAML1.1+ADFS, etc.

Classic Claims

Claims-Based Terminology

• Identity: security principal used to configure the security policy

• Claim (Assertion): attribute of an identity (such as Login Name, AD Group, etc.)

• Issuer: trusted party that creates claims• Security Token: serialized set of claims (assertions) about an

authenticated user.• Issuing Authority: issues security tokens knowing claims

desired by target application (AD, ASP.NET, LiveID, etc.) • Security Token Service (STS): builds, signs and issues

security tokens• Relying Party: application that makes authorization decisions

based on claims

Claim-based Authentication

Active Directory

LiveID

ASP.net Membership Trust

SharePointSTS

Client

SharePoint

Security token

4

Service token request5

Identity ProviderSecurity Token Service

(IP-STS)

SAML Based

SharePointAuthorization

ClaimsProviders

Trust

Authentication Request

3

Request Resource with service token

7

Security token response6

Request Resource

1

Authenticate Request/Redirect

2

Mixed Mode Authentication vs Multi-Authentication

Regular label-callout text

Multi-AuthenticationMixed Authentication

SharePointFarm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows Authentication

FBAAuthentication

...

...

...

SharePointFarm

Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Extended Web Application

Zone: Custom

Zone: Extranet

Zone: Intranet

Zone: Internet

Zone: DefaultWindows AuthenticationFBA Authentication

SAML Based AuthenticationFBA Authentication

Windows Authentication

...

...

Authentication ScenariosMixed Mode

Remote Employees

ExtranetZone

IntranetZone

EmployeesFBAclaims

Windowsclaims

https://extranet.contoso.com http://contoso

Authentication ScenariosMixed Mode: When to Use It

Different scheme for different protocolsIntranet HTTPExtranet HTTPS

Protecting access from different channelsPreventing employees log in from home except Sales divisionDedicate Extranet to vendors only

Preferred choice for solutions that require separate environments

Publishing Portal authored by employees and consumed by customers

Authentication ScenariosMulti Authentication

IntranetZone

Employees

FBAclaims

Windowsclaims

https://Corporate.contoso.com

SAMLclaims

Vendors Partners

Authentication ScenariosMulti Authentication: When to Use It

Same experience for different class of users

Single URL

Same experience for same users no matter where they access content from:

A la’ Outlook Web Access

Preferred choice for cross company collaboration solutions

SharePoint 2010 Beta 2

• Supported at Beta2– Windows-Classic– FBA-Claims– Anonymous– FBA-Claims + Anonymous

• NOT Ready for deployment at Beta2– Windows-Claims– SAML-Claims– Windows-Claims + FBA-Claims

Questions

Learn More about SharePoint 2010

Information forIT Prosat TechNet

http://MSSharePointITPro.com

Information forDevelopers

at MSDNhttp://MSSharePointDeveloper.com

Information forEveryone

http://SharePoint.Microsoft.com

SharePint Anyone?

Sources and Links

• Geneva Framework A Better Approach For Building Claims-Based WCF Services http://msdn.microsoft.com/en-us/magazine/dd278426.aspx

• An Introduction to Claims http://msdn.microsoft.com/en-us/library/ff359101.aspx

• Microsoft SharePoint Conference 2009 http://www.mssharepointconference.com/Pages/default.aspx

• Identity Management http://msdn.microsoft.com/en-us/security/aa570351.aspx