+ All Categories
Home > Technology > SPS Belgium 2015 - High-trust Apps for On-Premises Development

SPS Belgium 2015 - High-trust Apps for On-Premises Development

Date post: 19-Jul-2015
Category:
Upload: edin-kapic
View: 111 times
Download: 2 times
Share this document with a friend
28
High-Trust App Model for On-Premises Development #SPSBE06 Edin Kapić April 18 th , 2015
Transcript
Page 1: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

High-Trust App Model for On-Premises Development

#SPSBE06

Edin Kapić

April 18th, 2015

Page 2: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Platinum

Go

ldSilver

Thanks to our sponsors!

Page 3: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

About me

edinkapic

@ekapic

Page 4: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

http://www.spsevents.org/city/Barcelona/Barcelona2015/

SharePoint, sun and beach (Sept 26th)

Page 5: SPS Belgium 2015 -  High-trust Apps for On-Premises Development
Page 6: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Agenda

SharePoint app model review

High-trust apps mechanism

DEMO

Advanced scenarios

Page 7: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

SharePoint “cloud apps model”

SharePoint-hosted apps

Provider-hosted apps (remote apps)

Page 8: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Provider-hosted apps

The code runs in a separate server

Uses REST/CSOM API to call SharePoint

Uses OAuth for authorization

Page 9: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

App authentication

Apps are now first class securityprincipals

They have their own identity andpermissions

App authentication only happenson REST/CSOM endpoints

Page 10: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

App authentication methods

OAuth Brokered by Access Control Service (ACS)

• Server-to-server Using SSL certificates

Page 11: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Low-trust app authentication

Page 12: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

High-trust app authentication

Page 13: SPS Belgium 2015 -  High-trust Apps for On-Premises Development
Page 14: SPS Belgium 2015 -  High-trust Apps for On-Premises Development
Page 15: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

High-trust app prerequisites

SSL certificate

Configure Trusted Root Authority

Configure Trusted Token Issuer

Secure Token Service

User profiles

Page 16: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

High-trust mechanism

App has x.509 certificate with public/private key pair Private key used to sign certain aspects in access token

Public key registered with SharePoint farm This creates a trusted security token issuer

App creates access token to call into SharePoint App creates access token with a specific client ID and signs it with private key

Trusted security token issuer validates signature

SharePoint establishes app identity App identity maps to a specific client ID

You can have many client IDs associated with a single x.509 certificateTed Pattison SPC12 talk

Page 17: SPS Belgium 2015 -  High-trust Apps for On-Premises Development
Page 18: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Gotchas

Provider-hosted app authentication (Windows, SAML, fixed…)

SharePoint host web application mode (Claims, Classic-Windows) can cause auth failures

TokenHelper uses Active Directory SID as the identifier

App-only tokens are not supported by all API areas

Page 19: SPS Belgium 2015 -  High-trust Apps for On-Premises Development
Page 20: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Using other authentication methods

TokenHelper uses WindowsIdentity under the covers

Custom code for SAML Federated Authenticationcontributed by Wictor Wilén (http://bit.ly/1aFponK)

FBA is also supported

Page 21: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Using other technology stacks

Overview of options by Kirk Evans http://bit.ly/1jK3Evh

Java, PHP, Node.js

JWT token creation

Token signing with X.509 certificate

Page 22: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Extending the TokenHelper code

TokenHelper is just code, you can edit and extend it

Retrieving app parameters from a database

Caching access tokens

Creating custom user identity

Extending token lifetime

Retrieving certificates from a repository

Page 23: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

My recent project

3 provider-hosted apps (2 MVC, 1 Lightswitch)

SharePoint 2013 back-end platform

2 types of users Windows

Online Banking

Page 24: SPS Belgium 2015 -  High-trust Apps for On-Premises Development
Page 25: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

High-trust apps in SharePoint 2013

Alternative for on-premises appdevelopment

Cloud-ready code

More flexible than the low-trust apps

Page 26: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Useful information sources about HTA

Kirk Evanshttp://blogs.msdn.com/b/kaevans/

Steve Peschkahttp://blogs.technet.com/b/speschka/

Wictor Wilénhttp://www.wictorwilen.se

Page 27: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Thank you!

Dank jullie wel!Merci beaucoup!Vielen dank!

Page 28: SPS Belgium 2015 -  High-trust Apps for On-Premises Development

Recommended